Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

trojan downloader everything slow [resolved]

Started by kulrevon , Feb 22 2005 05:40 PM

This topic is locked

#1
kulrevon

Posted 22 February 2005 - 05:40 PM

Member

Member
13 posts

OK so I cant open folders through my desktop. I have to run things through the run screen. internet explorer has disappeared. I have to use the run screen. In safe mode I can open folders normal but internet explorer is still gone. I can use the address bar to get on the www. I know most of the stuff that shouldnt be running on the processes and about 3 days ago I was trying to find the virus myself but it became overwelming. so this is everything running as soon as I start up the computer with out shuting anything down.

my homepages change. popup adds come up. websites are added to favorites.

computer keeps getting worse. started on the 17th if not before.

I am running windows xp and am almost positive I am service pack 2. I always update and always ran adaware before I got this virus.

Hope this is everything.

Logfile of HijackThis v1.99.1
Scan saved at 6:17:41 PM, on 2/22/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\msab.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\Virtuagirl\Models\Virtuagirl_brianabanks_full.exe
C:\WINDOWS\system32\msnm.exe
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\taskmgr.exe
C:\Documents and Settings\John Ascani\Desktop\Unused Desktop Shortcuts\HijackThis.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\cidaemon.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ggjnk.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ggjnk.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ggjnk.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ggjnk.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ggjnk.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ggjnk.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ggjnk.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {5E2DD815-A676-7CB5-1698-B2A5ABA388C5} - C:\WINDOWS\ipfv32.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [Microsoft Tray] C:\Program Files\Virtuagirl\Models\Virtuagirl_brianabanks_full.exe
O4 - HKLM\..\Run: [msnm.exe] C:\WINDOWS\system32\msnm.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\RunOnce: [msab.exe] C:\WINDOWS\msab.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O16 - DPF: ConferenceRoom Java Client - http://irc.theamateu...com/java/cr.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://akamaidownloa...iTunesSetup.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-12.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Remote Procedure Call (RPC) Helper (%AFå¤¶À¨) - Unknown owner - C:\WINDOWS\system32\sysls32.exe (file missing)

#2
kulrevon

Posted 22 February 2005 - 06:15 PM

Member

Topic Starter
Member
13 posts

also adaware comes up with win32.trojandownloader.agent.al as msab.exe and tons of malware coolweb search and possible hijack attempt p*** website

#3
Guest_thatman_*

Posted 22 February 2005 - 08:00 PM

Guest

Hi kulrevon

You have a nasty About:Blank infection. This fix requires several tools that need to be downloaded. Please download these now, we will run them later.

1) About:Buster - Download it and extract it to C:/aboutbuster.
2) CleanUp! - Download it and install it.
3) CWShredder 2.11 - Download it and save it to your desktop.
4) Ad-Aware - Download, install, and update.

Enable hidden files and folders: http://www.bleepingc...torial=62#winme

During the fix do NOT connect to the internet. Unless you can memorize these instructions, it would be a good idea to print them out.

Boot into safe mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

Run AboutBuster
-Click Start to begin the process
-Click OK on the Buster Report dialogue box to start the scan
AboutBuster scans the computer for malicious files and deletes them.
Save the report (copy and paste into Notepad and save as a .txt file) to post a copy for review.

Run CWShredder
-Next, click on the: ‘Fix’ button
-Follow the prompts, and press OK

Run CleanUp
-Make sure it is on Standard Mode
-Click the "CleanUp!" button

Run Ad-Aware
1. If you have a previous version of Ad-Aware installed, during the installation of the new version you will be prompted to uninstall or keep the older version - be sure to uninstall the previous version.
2. After installing Ad-aware, you will be prompted to update the program and run a full scan. De-select all boxes so that it does not run.
3. Manually run "Ad-Aware SE Personal" and from the main screen Click on "Check for Updates Now".
4. Once the definitions have been updated:
5. Reconfigure Ad-Aware for Full Scan as per the following instructions:
* Launch the program, and click on the Gear at the top of the start screen.
* Under General Settings the following boxes should all be checked off: (Checked will be indicated by a green circle with a check mark in it, Un-Checked is a red circle with an X in it. If it is greyed out, those features are only available in the retail version.)
o "Automatically save logfile"
o Automatically quarantine objects prior to removal"
o Safe Mode (always request confirmation)
o Prompt to update outdated confirmation) - Change to 7 days.
* Click the "Scanning" button (On the left side).
* Under Drives & Folders, select "Scan within Archives"
* Click "Click here to select Drives + folders" and select your installed hard drives.
* Under Memory & Registry, select all options.
* Click the "Advanced" button (On the left hand side).
* Under "Shell Integration", select "Move deleted files to Recycle Bin".
* Under "Log-file detail", select all options.
* Click on the "Defaults" button on the left.
* Type in the full url of what you want as your default homepage and searchpage e.g. http://www.google.com.
* Click the "Tweak" button (Again, on the left hand side).
* Expand "Scanning Engine" by clicking on the "+" (Plus) symbol and select the following:
o "Unload recognized processes during scanning."
o "Obtain command line of scanned processes"
o "Scan registry for all users instead of current user only"
* Under "Cleaning Engine", select the following:
o "Automatically try to unregister objects prior to deletion."
o "During removal, unload explorer and IE if necessary"
o "Let Windows remove files in use at next reboot."
o "Delete quarrantined objects after restoring"
* Click on "Safety Settings" and select "Write-protect system files after repair (Hosts file, etc)"
* Click on "Proceed" to save these Preferences.
* Click on the "Scan Now" button on the left.
* Under "Select Scan Mode, be sure to select "Use Custom Scanning Options".
6. Close all programs except ad-aware.
7. Click on "Next" in the bottom right corner to start the scan.
8. Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT - Even if not prompted to.
9. After you log back in, Ad-Aware may run to finalize the scan and remove any locked files that it may of found. Allow it to finish.

Run HJT, close any open windows, and fix the following items (if they are still there):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ggjnk.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ggjnk.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\ggjnk.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\ggjnk.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\ggjnk.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ggjnk.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\ggjnk.dll/sp.html#12345
O2 - BHO: (no name) - {5E2DD815-A676-7CB5-1698-B2A5ABA388C5} - C:\WINDOWS\ipfv32.dll
O4 - HKLM\..\Run: [Microsoft Tray] C:\Program Files\Virtuagirl\Models\Virtuagirl_brianabanks_full.exe
O4 - HKLM\..\Run: [msnm.exe] C:\WINDOWS\system32\msnm.exe
O4 - HKLM\..\RunOnce: [msab.exe] C:\WINDOWS\msab.exe
O8 - Extra context menu item: &Viewpoint Search - res://C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O23 - Service: Remote Procedure Call (RPC) Helper (_%AFå___¤À¨) - Unknown owner - C:\WINDOWS\system32\sysls32.exe

Using Windows Explorer, locate the following files/folders, and delete them:

C:\WINDOWS\msab.exe < --Delete this file

C:\Program Files\Virtuagirl\Models\Virtuagirl_brianabanks_full.exe < --Delete this whole folder
C:\WINDOWS\system32\msnm.exe < --Delete this file

C:\WINDOWS\ipfv32.dll < --Delete this file

C:\Program Files\Viewpoint\Viewpoint Toolbar\ViewBar.dll/CXTSEARCH.HTML < --Delete this whole folder

C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU) < --Delete this whole folder

Reboot into normal mode (simply restart your computer as you normally would),
Please run the following free, online virus scans:

http://housecall.tre.../start_corp.asp
http://www.pandasoft...n_principal.htm

Then restart your computer one more time and post a new HJT log as well as the About:Buster log I asked you to save earlier.

Kc :tazz:

#4
kulrevon

Posted 22 February 2005 - 10:32 PM

Member

Topic Starter
Member
13 posts

ok Im trying to do everything you say but when I am in normal mode theres like 51 processes runingandit slowsthings downalot. can I close stuff I know isnt good or just deal with it?

#5
Guest_thatman_*

Posted 23 February 2005 - 02:55 AM

Guest

Hi kulrevon

Please read my last post, you will see that the fix is to run in safemode.

Please run the fix as was stated.

Kc :tazz:

#6
kulrevon

Posted 23 February 2005 - 08:18 AM

Member

Topic Starter
Member
13 posts

Reboot into normal mode (simply restart your computer as you normally would),
Please run the following free, online virus scans:

http://housecall.tre.../start_corp.asp
http://www.pandasoft...n_principal.htm

Then restart your computer one more time and post a new HJT log as well as the About:Buster log I asked you to save earlier.

this is where I ran into having a hard time.
I did everything else in safe mode. and when I restarted normal I had more processes running.

So the fix in safe mode didnt work when I got into normal it just got worse
sorry for the misunderstanding

#7
Guest_thatman_*

Posted 23 February 2005 - 10:04 AM

Guest

Hi kulrevon

Please post a new HijackThis.Log

Thanks

Kc :tazz:

#8
kulrevon

Posted 24 February 2005 - 01:24 AM

Member

Topic Starter
Member
13 posts

this is the new hijackthis log the active scan log and the buster when I restarted it again I could run it a little bit. I didnt get to run the house call it wouldnt work

Logfile of HijackThis v1.99.1
Scan saved at 2:17:05 AM, on 2/24/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\d3ln32.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Apoint\Apntex.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\system32\dmsuinit.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\Documents and Settings\John Ascani\Desktop\Unused Desktop Shortcuts\HijackThis.exe
C:\Program Files\Web_Rebates\WebRebates1.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\Program Files\Web_Rebates\WebRebates0.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qpnrw.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qpnrw.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qpnrw.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qpnrw.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qpnrw.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qpnrw.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qpnrw.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {388C2E34-686F-EB26-27A8-3DED78707177} - C:\WINDOWS\sysji.dll
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [sysdn.exe] C:\WINDOWS\sysdn.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [AutoLoaderAproposClient] "C:\DOCUME~1\JOHNAS~1\LOCALS~1\Temp\cxtpls_loader.exe" /PC=CP.IST /ForSupportedBrowsers /ShowLegalNote=nonbranded
O4 - HKLM\..\Run: [uFnX3tg] dmsuinit.exe
O4 - HKLM\..\Run: [Internet Optimizer] "C:\Program Files\Internet Optimizer\optimize.exe"
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\RunOnce: [d3ln32.exe] C:\WINDOWS\d3ln32.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)
O16 - DPF: ConferenceRoom Java Client - http://irc.theamateu...com/java/cr.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://akamaidownloa...iTunesSetup.exe
O16 - DPF: {42F2C9BA-614F-47C0-B3E3-ECFD34EED658} (Installer Class) - http://www.ysbweb.co...ysb_regular.cab
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-12.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Remote Procedure Call (RPC) Helper (%AFå¤¶À¨) - Unknown owner - C:\WINDOWS\system32\sysls32.exe (file missing)

Incident Status Location

Adware:Adware/Apropos No disinfected C:\Documents and Settings\John Ascani\Local Settings\Temp\AutoUpdate0\auto_update_install.exe
Adware:Adware/Envolo No disinfected C:\Documents and Settings\John Ascani\Local Settings\Temp\AutoUpdate0\setup.inf
Adware:Adware/TopRebates No disinfected C:\Documents and Settings\John Ascani\Local Settings\Temp\djtopr1150.exe
Spyware:Spyware/Dyfuca No disinfected C:\Documents and Settings\John Ascani\Local Settings\Temp\optimize.exe
Adware:Adware/TopRebates No disinfected C:\Documents and Settings\John Ascani\Local Settings\Temp\webrebates.exe
Spyware:Spyware/Dyfuca No disinfected C:\Documents and Settings\John Ascani\Local Settings\Temporary Internet Files\Content.IE5\D1WHZ30R\optimize[1].exe
Adware:Adware/TopRebates No disinfected C:\Documents and Settings\John Ascani\Local Settings\Temporary Internet Files\Content.IE5\D1WHZ30R\webrebates_usa[1].exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\John Ascani\Local Settings\Temporary Internet Files\Content.IE5\H6WN6TA7\istsvc[1].exe
Adware:Adware/Envolo No disinfected C:\Documents and Settings\John Ascani\Local Settings\Temporary Internet Files\Content.IE5\IA2Q4J2P\AutoUpdaterInstaller[1].exe
Spyware:Spyware/ISTbar No disinfected C:\Documents and Settings\John Ascani\Local Settings\Temporary Internet Files\Content.IE5\IA2Q4J2P\istrecover[1].exe
Adware:Adware/nCase No disinfected C:\Documents and Settings\John Ascani\Local Settings\Temporary Internet Files\Content.IE5\IA2Q4J2P\ncase_new[1].exe
Spyware:Spyware/Dyfuca No disinfected C:\Documents and Settings\John Ascani\Local Settings\Temporary Internet Files\Content.IE5\WS2OBQWO\nem220[1].dll
Spyware:Spyware/YourSiteBar No disinfected C:\Documents and Settings\John Ascani\Local Settings\Temporary Internet Files\Content.IE5\WS2OBQWO\ysb_regular[1].cab[ysbactivex.inf]
Virus:VBS/Inor.AF Renamed C:\ntdetect.hta
Adware:Adware/Apropos No disinfected C:\Program Files\AutoUpdate\AutoUpdate.exe
Adware:Adware/Apropos No disinfected C:\Program Files\CxtPls\ace.dll
Adware:Adware/Apropos No disinfected C:\Program Files\CxtPls\CxtPls.dll
Adware:Adware/Apropos No disinfected C:\Program Files\CxtPls\ProxyStub.dll
Spyware:Spyware/Dyfuca No disinfected C:\Program Files\Internet Optimizer\optimize.exe
Spyware:Spyware/ISTbar No disinfected C:\Program Files\ISTsvc\istsvc.exe
Adware:Adware/TopRebates No disinfected C:\Program Files\Web_Rebates\disp1150.exe
Adware:Adware/TopRebates No disinfected C:\Program Files\Web_Rebates\WebRebates0.exe
Adware:Adware/TopRebates No disinfected C:\Program Files\Web_Rebates\WebRebates1.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\apiuv.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\crer.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\crkc32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\d3ln32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\d3oq32.exe
Spyware:Spyware/YourSiteBar No disinfected C:\WINDOWS\Downloaded Program Files\ysbactivex.inf
Adware:Adware/HT401 No disinfected C:\WINDOWS\fenvj.dll
Adware:Adware/HT401 No disinfected C:\WINDOWS\ggjnk.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\hyjfutky.exe.$$$
Adware:Adware/SearchAid No disinfected C:\WINDOWS\ipqf32.exe
Virus:Trj/Spy.Justin Disinfected C:\WINDOWS\ISNSYS.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\ixylixqf.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\mfcqq32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\mskb.exe
Adware:Adware/HT401 No disinfected C:\WINDOWS\qpnrw.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\sdknd32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\sysdn.exe
Virus:Trj/Downloader.AQN Disinfected C:\WINDOWS\sysdn.exe.bak
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM32\atlzm.exe
Adware:Adware/Envolo No disinfected C:\WINDOWS\SYSTEM32\auto_update_uninstall.exe
Virus:Trj/Downloader.AMT No disinfected C:\WINDOWS\SYSTEM32\dmcdmail.exe
Adware:Adware/CWS.008k No disinfected C:\WINDOWS\SYSTEM32\dmsuinit.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM32\ienp32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM32\ntfv.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM32\ntwf32.exe
Adware:Adware/HT401 No disinfected C:\WINDOWS\SYSTEM32\ppfyf.dll
Adware:Adware/HT401 No disinfected C:\WINDOWS\SYSTEM32\rpbxl.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM32\sdkjm.exe
Adware:Adware/HT401 No disinfected C:\WINDOWS\SYSTEM32\sklbm.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM32\syshq32.exe
-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 16

Removed Data Streams:
C:\WINDOWS\BcdSetup.log:qzgig
C:\WINDOWS\cdplayer.ini:bazni
C:\WINDOWS\KB824146.log:qnjkr
C:\WINDOWS\KB885250.log:voauv
C:\WINDOWS\Q329048.log:xqihq

Removed 4 Random Key Entries
Removed! : C:\WINDOWS\prlii.dat
Removed! : C:\WINDOWS\ptygo.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 16

Removed Data Streams:
C:\WINDOWS\BcdSetup.log:qzgig
C:\WINDOWS\cdplayer.ini:bazni
C:\WINDOWS\KB824146.log:qnjkr
C:\WINDOWS\KB885250.log:voauv
C:\WINDOWS\Q329048.log:xqihq

Attempted Clean Of Temp folder.
Pages Reset... Done!

#9
kulrevon

Posted 28 February 2005 - 04:46 PM

Member

Topic Starter
Member
13 posts

bump for help

#10
Guest_thatman_*

Posted 01 March 2005 - 06:00 AM

Guest

Hi kulrevon

Welcome to geekstogo

You have a nasty About:Blank infection. This fix requires several tools that need to be downloaded. Please download these now, we will run them later.

1) About:Buster - Download it and extract it to C:/aboutbuster.
2) CleanUp! - Download it and install it.
3) CWShredder 2.11 - Download it and save it to your desktop.
4) Ad-Aware - Download, install, and update.

Enable hidden files and folders: Be sure you're able to Enable hidden files and folders:

During the fix do NOT connect to the internet. Unless you can memorize these instructions, it would be a good idea to print them out.

Boot into safe mode:
Restart your computer and as soon as it starts booting up again continuously tap F8. A menu should come up where you will be given the option to enter Safe Mode.

C:\Documents and Settings\John Ascani\Local Settings\Temporary Internet\ Delete all files in this folder
C:\Documents and Settings\John Ascani\Local Settings\Temp\ Delete all files in this folder

Using Windows Add Remove Program Files uninstall the following Programs:
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\Program Files\ISTsvc\istsvc.exe
c:\program files\180solutions\sais.exe

Exit Add Remove Program Files when done.

Press Control-Alt-Del to enter the Task Manager.
Click on the Processes tab and end the following processes:
C:\WINDOWS\qpnrw.dll
C:\WINDOWS\d3ln32.exe

Exit the Task Manager when finished

Run AboutBuster
-Click Start to begin the process
-Click OK on the Buster Report dialogue box to start the scan
AboutBuster scans the computer for malicious files and deletes them.
Save the report (copy and paste into Notepad and save as a .txt file) to post a copy for review.

Run CWShredder
-Next, click on the: ‘Fix’ button
-Follow the prompts, and press OK

Run CleanUp
-Make sure it is on Standard Mode
-Click the "CleanUp!" button

Run Ad-Aware
1. If you have a previous version of Ad-Aware installed, during the installation of the new version you will be prompted to uninstall or keep the older version - be sure to uninstall the previous version.
2. After installing Ad-aware, you will be prompted to update the program and run a full scan. De-select all boxes so that it does not run.
3. Manually run "Ad-Aware SE Personal" and from the main screen Click on "Check for Updates Now".
4. Once the definitions have been updated:
5. Reconfigure Ad-Aware for Full Scan as per the following instructions:
* Launch the program, and click on the Gear at the top of the start screen.
* Under General Settings the following boxes should all be checked off: (Checked will be indicated by a green circle with a check mark in it, Un-Checked is a red circle with an X in it. If it is grayed out, those features are only available in the retail version.)
o "Automatically save logfile"
o Automatically quarantine objects prior to removal"
o Safe Mode (always request confirmation)
o Prompt to update outdated confirmation) - Change to 7 days.
* Click the "Scanning" button (On the left side).
* Under Drives & Folders, select "Scan within Archives"
* Click "Click here to select Drives + folders" and select your installed hard drives.
* Under Memory & Registry, select all options.
* Click the "Advanced" button (On the left-hand side).
* Under "Shell Integration", select "Move deleted files to Recycle Bin".
* Under "Log-file detail", select all options.
* Click on the "Defaults" button on the left.
* Type in the full url of what you want as your default homepage and searchpage e.g. http://www.google.com.
* Click the "Tweak" button (Again, on the left-hand side).
* Expand "Scanning Engine" by clicking on the "+" (Plus) symbol and select the following:
o "Unload recognized processes during scanning."
o "Obtain command line of scanned processes"
o "Scan registry for all users instead of current user only"
* Under "Cleaning Engine", select the following:
o "Automatically try to unregister objects prior to deletion."
o "During removal, unload explorer and IE if necessary"
o "Let Windows remove files in use at next reboot."
o "Delete quarantined objects after restoring"
* Click on "Safety Settings" and select "Write-protect system files after repair (Hosts file, etc)"
* Click on "Proceed" to save these Preferences.
* Click on the "Scan Now" button on the left.
* Under "Select Scan Mode, be sure to select "Use Custom Scanning Options".
6. Close all programs except ad-aware.
7. Click on "Next" in the bottom right corner to start the scan.
8. Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT - Even if not prompted to.
9. After you log back in, Ad-Aware may run to finalize the scan and remove any locked files that it may have found. Allow it to finish.

Run HJT, close any open windows, and fix the following items (if they are still there):

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qpnrw.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qpnrw.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\qpnrw.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\qpnrw.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\qpnrw.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qpnrw.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\qpnrw.dll/sp.html#12345
O3 - Toolbar: YourSiteBar - {86227D9C-0EFE-4f8a-AA55-30386A3F5686} - C:\PROGRA~1\YOURSI~1\ysb.dll
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [sais] c:\program files\180solutions\sais.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [WebRebates0] "C:\Program Files\Web_Rebates\WebRebates0.exe"
O4 - HKLM\..\RunOnce: [d3ln32.exe] C:\WINDOWS\d3ln32.exe
O8 - Extra context menu item: Web Rebates - file://C:\Program Files\Web_Rebates\Sy1150\Tp1150\scri1150a.htm
O15 - Trusted Zone: *.05p.com
O15 - Trusted Zone: *.awmdabest.com
O15 - Trusted Zone: *.blazefind.com
O15 - Trusted Zone: *.clickspring.net
O15 - Trusted Zone: *.flingstone.com
O15 - Trusted Zone: *.frame.crazywinnings.com
O15 - Trusted Zone: *.mt-download.com
O15 - Trusted Zone: *.my-internet.info
O15 - Trusted Zone: *.scoobidoo.com
O15 - Trusted Zone: *.searchbarcash.com
O15 - Trusted Zone: *.searchmiracle.com
O15 - Trusted Zone: *.slotch.com
O15 - Trusted Zone: *.static.topconverting.com
O15 - Trusted Zone: *.xxxtoolbar.com
O15 - Trusted Zone: *.05p.com (HKLM)
O15 - Trusted Zone: *.awmdabest.com (HKLM)
O15 - Trusted Zone: *.blazefind.com (HKLM)
O15 - Trusted Zone: *.clickspring.net (HKLM)
O15 - Trusted Zone: *.flingstone.com (HKLM)
O15 - Trusted Zone: *.frame.crazywinnings.com (HKLM)
O15 - Trusted Zone: *.mt-download.com (HKLM)
O15 - Trusted Zone: *.my-internet.info (HKLM)
O15 - Trusted Zone: *.scoobidoo.com (HKLM)
O15 - Trusted Zone: *.searchbarcash.com (HKLM)
O15 - Trusted Zone: *.searchmiracle.com (HKLM)
O15 - Trusted Zone: *.slotch.com (HKLM)
O15 - Trusted Zone: *.static.topconverting.com (HKLM)
O15 - Trusted Zone: *.xxxtoolbar.com (HKLM)
O15 - Trusted IP range: 206.161.125.149
O15 - Trusted IP range: 206.161.125.149 (HKLM)
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone
O15 - ProtocolDefaults: 'http' protocol is in My Computer Zone, should be Internet Zone (HKLM)

Using Windows Explorer, locate the following files/folders, and delete them if found:

C:\Program Files\ISTsvc\istsvc.exe
C:\WINDOWS\qpnrw.dll
C:\PROGRA~1\YOURSI~1\ysb.dll
c:\program files\180solutions\sais.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\Program Files\Web_Rebates\WebRebates0.exe
C:\WINDOWS\d3ln32.exe

Thanks to LineOFire for this .reg file fix -

1.) Copy the contents of the Quote Box below to Notepad.
2.) Save the file as RemoveTrustedZone.reg
3.) Change the Save as Type to All Files.
4.) Save this file to the desktop.

Quote:

REGEDIT4

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[-HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains]

--
1.) Double-click on RemoveTrustedZone.reg.
2.) When it asks you to merge the information to the registry click Yes.
3.) Reboot PC.
4.) Run HJT again and look for the O15 entry, it should be gone.

Reboot into normal mode (simply restart your computer as you normally would),

Please run the following free, online virus scans: Please post the logs From both virus scans we will need them to remove previous infections that have left files on your system.
http://housecall.tre.../start_corp.asp
http://www.pandasoft...n_principal.htm

Then restart your computer one more time and post a new HJT log as well as the About:Buster log I asked you to save earlier.

Kc :tazz:

#11
kulrevon

Posted 02 March 2005 - 06:51 AM

Member

Topic Starter
Member
13 posts

I also get the dr watson error message. and that exe is slowing my computer. But I dont know why it has been seen in any of the hjt.

Is dr watson part of the about blank or is that another or different virus?

I will post the hj log as soon as I get to my personal computer

#12
kulrevon

Posted 03 March 2005 - 07:25 PM

Member

Topic Starter
Member
13 posts

buster scan

Scanned at: 7:47:23 PM on: 3/1/2005

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 16

No ADS found on system
Removed 2 Random Key Entries
Removed! : C:\WINDOWS\system32\wnjjz.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 16

No ADS found on system
Attempted Clean Of Temp folder.
Pages Reset... Done!

Scanned at: 8:16:56 PM on: 3/3/2005

-- Scan 1 ---------------------------
About:Buster Version 4.0
Reference List : 25

Removed Data Streams:
C:\WINDOWS\DirectX.log:bjonq
C:\WINDOWS\imsins.log:peopx
C:\WINDOWS\KB829558.log:bpudn
C:\WINDOWS\KB887822.log:pttxe
C:\WINDOWS\NETFXOCM.LOG:dmkqp
C:\WINDOWS\Prairie Wind.bmp:ahpwr
C:\WINDOWS\Q323255.log:xipfs
C:\WINDOWS\Q814995.log:qpywb
C:\WINDOWS\unvise32.exe:kttcq

Removed 2 Random Key Entries
Removed! : C:\WINDOWS\lqopv.dat
Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

-- Scan 2 ---------------------------
About:Buster Version 4.0
Reference List : 25

Removed Data Streams:
C:\WINDOWS\DirectX.log:bjonq
C:\WINDOWS\imsins.log:peopx
C:\WINDOWS\KB829558.log:bpudn
C:\WINDOWS\KB887822.log:pttxe
C:\WINDOWS\NETFXOCM.LOG:dmkqp
C:\WINDOWS\Prairie Wind.bmp:ahpwr
C:\WINDOWS\Q323255.log:xipfs
C:\WINDOWS\Q814995.log:qpywb
C:\WINDOWS\unvise32.exe:kttcq

Attempted Clean Of Temp folder.
Removed Uninstall Key (HSA)
Removed Uninstall Key (SE)
Removed Uninstall Key (SW)
Pages Reset... Done!

hijack this log

Logfile of HijackThis v1.99.1
Scan saved at 8:24:18 PM, on 3/3/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\appes.exe
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AutoUpdate\AutoUpdate.exe
C:\WINDOWS\system32\hidill.exe
C:\WINDOWS\windg32.exe
C:\WINDOWS\system32\gcdcm.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\system32\dwwin.exe
C:\Documents and Settings\John Ascani\Desktop\Unused Desktop Shortcuts\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {BFB28430-59F9-E148-CE91-EFEF55BB49E2} - C:\WINDOWS\netvm32.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [AutoUpdater] "C:\Program Files\AutoUpdate\AutoUpdate.exe"
O4 - HKLM\..\Run: [uFnX3tg] hidill.exe
O4 - HKLM\..\Run: [windg32.exe] C:\WINDOWS\windg32.exe
O4 - HKLM\..\RunOnce: [appes.exe] C:\WINDOWS\appes.exe
O4 - HKCU\..\Run: [fo47RjMsQ] gcdcm.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ConferenceRoom Java Client - http://irc.theamateu...com/java/cr.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://akamaidownloa...iTunesSetup.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-12.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Remote Procedure Call (RPC) Helper (%AFå¤¶À¨) - Unknown owner - C:\WINDOWS\system32\sysls32.exe (file missing)

#13
kulrevon

Posted 03 March 2005 - 09:33 PM

Member

Topic Starter
Member
13 posts

this goes with the last three posts.

Incident Status Location

Adware:Adware/SearchAid No disinfected C:\WINDOWS\appes.exe

Adware:Adware/Apropos No disinfected C:\Program Files\AutoUpdate\AutoUpdate.exe Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\netvm32.dll
Adware:Adware/Apropos No disinfected C:\PROGRA~1\AUTOUP~1\AUTOUP~1.EXE
Adware:Adware/SearchAid No disinfected C:\WINDOWS\appes.exe
Adware:Adware/DownloadWare No disinfected C:\Program Files\medch
Spyware:Spyware/ISTbar No disinfected C:\Program Files\Common Files\Totem Shared
Adware:Adware/Envolo No disinfected Windows Registry
Adware:Adware/Apropos No disinfected C:\Program Files\AutoUpdate
Adware:Adware/SearchAid No disinfected Windows Registry
Spyware:Spyware/YourSiteBar No disinfected C:\WINDOWS\Downloaded Program Files\YSBactivex.???
Adware:Adware/CWS.Aboutblank No disinfected Windows Registry
Virus:VBS/Inor.AF Renamed C:\ntdetect_hta.vir
Adware:Adware/Apropos No disinfected C:\Program Files\AutoUpdate\AutoUpdate.exe
Adware:Adware/Apropos No disinfected C:\Program Files\CxtPls\ace.dll
Adware:Adware/Apropos No disinfected C:\Program Files\CxtPls\ProxyStub.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\apiuv.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\appes.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\crer.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\crkc32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\d3oq32.exe
Spyware:Spyware/YourSiteBar No disinfected C:\WINDOWS\Downloaded Program Files\YSBactivex.dll
Spyware:Spyware/YourSiteBar No disinfected C:\WINDOWS\Downloaded Program Files\ysbactivex.inf
Adware:Adware/HT401 No disinfected C:\WINDOWS\fenvj.dll
Adware:Adware/HT401 No disinfected C:\WINDOWS\ggjnk.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\ipqf32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\mfcqq32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\mskb.exe
Adware:Adware/HT401 No disinfected C:\WINDOWS\nchqf.dll
Adware:Adware/HT401 No disinfected C:\WINDOWS\necpb.dll
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\netvm32.dll
Adware:Adware/HT401 No disinfected C:\WINDOWS\ntcrz.dll
Adware:Adware/HT401 No disinfected C:\WINDOWS\osxrx.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\sdknd32.exe
Adware:Adware/CWS.Aboutblank No disinfected C:\WINDOWS\sdkus.exe
Adware:Adware/HT401 No disinfected C:\WINDOWS\ssfwt.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\syspx.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM32\atlzm.exe
Adware:Adware/Envolo No disinfected C:\WINDOWS\SYSTEM32\auto_update_uninstall.exe
Adware:Adware/HT401 No disinfected C:\WINDOWS\SYSTEM32\cpahk.dll
Adware:Adware/CWS.008k No disinfected C:\WINDOWS\SYSTEM32\dmsuinit.exe
Adware:Adware/HT401 No disinfected C:\WINDOWS\SYSTEM32\dqiel.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM32\ienp32.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM32\ntfv.exe
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM32\ntwf32.exe
Adware:Adware/HT401 No disinfected C:\WINDOWS\SYSTEM32\ppfyf.dll
Adware:Adware/HT401 No disinfected C:\WINDOWS\SYSTEM32\rhuyd.dll
Adware:Adware/HT401 No disinfected C:\WINDOWS\SYSTEM32\rpbxl.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM32\sdkjm.exe
Adware:Adware/HT401 No disinfected C:\WINDOWS\SYSTEM32\sklbm.dll
Adware:Adware/SearchAid No disinfected C:\WINDOWS\SYSTEM32\syshq32.exe
Adware:Adware/HT401 No disinfected C:\WINDOWS\SYSTEM32\takzn.dll
Adware:Adware/HT401 No disinfected C:\WINDOWS\SYSTEM32\yayzq.dll
Adware:Adware/HT401 No disinfected C:\WINDOWS\SYSTEM32\ywvwe.dll
Virus:Trj/Downloader.AQN Disinfected C:\WINDOWS\windg32.exe
Adware:Adware/HT401 No disinfected C:\WINDOWS\wyjpj.dll

#14
Guest_thatman_*

Posted 04 March 2005 - 07:36 AM

Guest

Hi kulrevon

Please read through the instructions before you start (you may want to print this
out).

Important Step
1. Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called:

Remote Procedure Call (RPC) Helper (_%AFå___¤À¨) - Unknown owner - C:\WINDOWS\system32\sysls32.exe

When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you don´t find this service listed go ahead with the next steps.

Using Windows Add Remove Program Files uninstall the following Programs

C:\Program Files\AutoUpdate\AutoUpdate.exe C:\WINDOWS\netvm32.dll

Delete the following Program folders

C:\Program Files\medch < --Delete the whole folder
C:\Program Files\CxtPls\ace.dll < --Delete the whole folder
C:\ntdetect_hta.vir < --Delete the whole folder

1. Download the Pocket Killbox.
2. Unzip the contents of KillBox.zip to a convenient location.
3. Double-click on KillBox.exe.
4. Click "Replace on Reboot" and check the "Use Dummy" box.
5. Paste this file into the top "Full Path of File to Delete" box.

C:\WINDOWS\appes.exe

6. Click the "Delete File" button which looks like a stop sign.
7. Click "Yes" at the Replace on Reboot prompt.

Now copy and paste each item below and use the same steps 1 to 7

C:\WINDOWS\appes.exe
C:\WINDOWS\appes.exe
C:\WINDOWS\apiuv.exe
C:\WINDOWS\appes.exe
C:\WINDOWS\crer.exe
C:\WINDOWS\crkc32.exe
C:\WINDOWS\d3oq32.exe
C:\WINDOWS\fenvj.dll
C:\WINDOWS\ggjnk.dll
C:\WINDOWS\ipqf32.exe
C:\WINDOWS\mfcqq32.exe
C:\WINDOWS\mskb.exe
C:\WINDOWS\nchqf.dll
C:\WINDOWS\necpb.dll
C:\WINDOWS\netvm32.dll
C:\WINDOWS\ntcrz.dll
C:\WINDOWS\osxrx.dll
C:\WINDOWS\sdknd32.exe
C:\WINDOWS\sdkus.exe
C:\WINDOWS\ssfwt.dll
C:\WINDOWS\syspx.exe
C:\WINDOWS\SYSTEM32\atlzm.exe
C:\WINDOWS\SYSTEM32\auto_update_uninstall.exe
C:\WINDOWS\SYSTEM32\cpahk.dll
C:\WINDOWS\SYSTEM32\dmsuinit.exe
C:\WINDOWS\SYSTEM32\dqiel.dll
C:\WINDOWS\SYSTEM32\ienp32.exe
C:\WINDOWS\SYSTEM32\ntfv.exe
C:\WINDOWS\SYSTEM32\ntwf32.exe
C:\WINDOWS\SYSTEM32\ppfyf.dll
C:\WINDOWS\SYSTEM32\rhuyd.dll
C:\WINDOWS\SYSTEM32\rpbxl.dll
C:\WINDOWS\SYSTEM32\sdkjm.exe
C:\WINDOWS\SYSTEM32\sklbm.dll
C:\WINDOWS\SYSTEM32\syshq32.exe
C:\WINDOWS\SYSTEM32\takzn.dll
C:\WINDOWS\SYSTEM32\yayzq.dll
C:\WINDOWS\SYSTEM32\ywvwe.dll
C:\WINDOWS\wyjpj.dll

When you have completed the above list please Reboot your PC.

Post a new HJT.LOG

Thank You

kc :tazz:

#15
kulrevon

Posted 04 March 2005 - 01:00 PM

Member

Topic Starter
Member
13 posts

Hey I dont know if this is part of it. but is there a way we can fix so internet explorer is back. and also explorer still crashes if I try to open a folder or my computer off the desktop. and I cant get into the control panel when im not in safe mode.

Logfile of HijackThis v1.99.1
Scan saved at 1:37:20 PM, on 3/4/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\WINDOWS\system32\cisvc.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\system32\netkf.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Apoint\Apoint.exe
C:\Program Files\Dell\AccessDirect\dadapp.exe
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Dell\EUSW\Support.exe
C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\system32\hidill.exe
C:\WINDOWS\system32\appoh32.exe
C:\WINDOWS\system32\gcdcm.exe
C:\Program Files\Dell\Support\Alert\bin\NotifyAlert.exe
C:\Program Files\Apoint\Apntex.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wbem\wmiapsrv.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Documents and Settings\John Ascani\Desktop\Unused Desktop Shortcuts\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://smbusiness.dellnet.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\bstgy.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bstgy.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\system32\bstgy.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\system32\bstgy.dll/sp.html#12345
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\system32\bstgy.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\bstgy.dll/sp.html#12345
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\system32\bstgy.dll/sp.html#12345
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = http://localhost
R3 - Default URLSearchHook is missing
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {C477843C-039C-C8FA-E7A7-042CF21EB3D8} - C:\WINDOWS\iemi32.dll
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint\Apoint.exe
O4 - HKLM\..\Run: [DadApp] C:\Program Files\Dell\AccessDirect\dadapp.exe
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [DwlClient] C:\Program Files\Common Files\Dell\EUSW\Support.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\SYMANT~1\SYMANT~1\vptray.exe
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [MCUpdateExe] C:\PROGRA~1\McAfee.com\Agent\McUpdate.exe
O4 - HKLM\..\Run: [uFnX3tg] hidill.exe
O4 - HKLM\..\Run: [appoh32.exe] C:\WINDOWS\system32\appoh32.exe
O4 - HKCU\..\Run: [fo47RjMsQ] gcdcm.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office10\OSA.EXE
O8 - Extra context menu item: &AIM Search - res://C:\Program Files\AIM Toolbar\AIMBar.dll/aimsearch.htm
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ConferenceRoom Java Client - http://irc.theamateu...com/java/cr.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/potc_x.cab
O16 - DPF: {04E214E5-63AF-4236-83C6-A7ADCBF9BD02} (HouseCall Control) - http://housecall-bet...all/xscan60.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://akamaidownloa...iTunesSetup.exe
O16 - DPF: {4C39376E-FA9D-4349-BACC-D305C1750EF3} (EPUImageControl Class) - http://tools.ebayimg...l_v1-0-3-12.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {9FC5238F-12C4-454F-B1B5-74599A21DE47} (Webshots Photo Uploader) - http://community.web...otoUploader.CAB
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: C-DillaCdaC11BA - Macrovision - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: DefWatch - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\Program Files\Symantec_Client_Security\Symantec AntiVirus\Rtvscan.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Workstation NetLogon Service ( 6QÔõ'ª´ÆÐ8) - Unknown owner - C:\WINDOWS\system32\netkf.exe