Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

urgent help needed have been waiting DRWATSON

Started by Goodfox , Feb 23 2005 07:01 AM

  • This topic is locked This topic is locked

#1
Goodfox
Posted 23 February 2005 - 07:01 AM

Goodfox

    Member

  • Member
  • PipPip
  • 13 posts
Please help, i can acces anything on the start menu i have to go round using control alt delete, i have used the steps shown for someone else i used about buster followed by cwshredder followed by cleaup foloowed by adwarese, and it still hasent gone.


i just updated my comp and did the tests again and this is the new hijack me log, please can you help.

Logfile of HijackThis v1.99.1
Scan saved at 18:21:11, on 22/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\BT Digital Access USB\vstartx.exe
C:\Program Files\BT Digital Access USB\gisdnlog.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\netna.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\BT Digital Access USB\gsyno.exe
C:\Program Files\Real\RealPlayer\RealPlay.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\cram.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe
C:\Program Files\AOL 8.0a\aoltray.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Documents and Settings\Tom\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell...gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://loginnet.pas...uth.srf?lc=1033
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {78EDB338-80F0-E154-CA26-10AA2CB7B816} - C:\WINDOWS\system32\appqk.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Messenger\ycomp.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [GazelDisplay] "C:\Program Files\BT Digital Access USB\gsyno.exe" -h
O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [cram.exe] C:\WINDOWS\system32\cram.exe
O4 - HKLM\..\Run: [Spyware Stormer] C:\Program Files\Spyware Stormer\SpywareStormer.Exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Startup: Joint Operations Typhoon Rising Registration.lnk = C:\Documents and Settings\Tom\Local Settings\Temp\{3DBFE0D0-9F4B-45F4-B9F7-C50466A4F80E}\{0325F1C1-883A-41AB-8981-B27359ABDFAF}\NOVG.EXE
O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0a\aoltray.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ADVFN US - http://usa.advfn.com/advfn_us8.cab
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: Yahoo! Blackjack - http://download.game...nts/y/jt0_x.cab
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct2_x.cab
O16 - DPF: Yahoo! Cribbage - http://download.game...nts/y/it1_x.cab
O16 - DPF: Yahoo! Gin - http://download.game...nts/y/nt1_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.game...nts/y/zt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windup...5271ab95b94951b
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v5.cab
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: BT Digital Access USB start up (Gazel Startup) - Unknown owner - C:\Program Files\BT Digital Access USB\vstartx.exe" /s (file missing)
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: ISDN connection log (GisdnLog) - Unknown owner - C:\Program Files\BT Digital Access USB\gisdnlog.exe" -s (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Remote Procedure Call (RPC) Helper (%AF夶À¨) - Unknown owner - C:\WINDOWS\netna.exe
  • 0

Advertisements

#2
coachwife6
Posted 23 February 2005 - 10:40 AM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Please do not start a new thread. I was just about to ask you if you had run anything to clean up your computer before we looked at your log, but I did a search of your posts and saw on another post that you had already done that.
  • 0

#3
coachwife6
Posted 23 February 2005 - 10:54 AM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
You may wish to print out a copy of these instructions to follow while you complete this procedure.

Please save Hijack This in a permanent folder (i.e. C:\HJT). This ensures backups are saved and accessible.

Please go offline, close all browsers and any open Windows, making sure that only HijackThis is open. Scan and when it finishes, put an X in the boxes, only next to these following items, then click fix checked.



R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {78EDB338-80F0-E154-CA26-10AA2CB7B816} - C:\WINDOWS\system32\appqk.dll

O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.3000.1001\en-us\msntb.dll (file missing)

O4 - HKLM\..\Run: [Spyware Stormer] C:\Program Files\Spyware Stormer\SpywareStormer.Exe
O4 - Startup: Joint Operations Typhoon Rising Registration.lnk = C:\Documents and Settings\Tom\Local Settings\Temp\{3DBFE0D0-9F4B-45F4-B9F7-C50466A4F80E}\{0325F1C1-883A-41AB-8981-B27359ABDFAF}\NOVG.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\1.bin\MWSOEMON.EXE

O16 - DPF: ADVFN US - http://usa.advfn.com/advfn_us8.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://public.windup...5271ab95b94951b

O23 - Service: ISEXEng - Unknown owner - C:\WINDOWS\System32\angelex.exe
O23 - Service: Remote Procedure Call (RPC) Helper (%AF夶À¨) - Unknown owner - C:\WINDOWS\netna.exe

The following are not necessarily spyware/malware, but we suggest you place a check mark next to the following entries, as these programs may be taking up system resources.

O4 - HKLM\..\Run: [RealTray] C:\Program Files\Real\RealPlayer\RealPlay.exe SYSTEMBOOTHIDEPLAYER
(Description: RealPlayer system tray application. Not necessary. Removing this entry will free up a small amount of system resources.)

O4 - HKLM\..\Run: [msnappau] \"C:\Program Files\MSN Apps\Updater\01.02.3000.1001\en-us\msnappau.exe\"
(Description: MSN Messenger Updater. Not necessary. Removing this entry will free up a small amount of system resources.)

O4 - Global Startup: Adobe Gamma Loader.exe.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
(Description: Adjusts monitor colours across all programs, including Photoshop. It is needed by some graphics professionals who want their monitor calibrated. Most home users will not need it, and thus should remove this entry. )

O4 - Global Startup: AOL 8.0 Tray Icon.lnk = C:\Program Files\AOL 8.0a\aoltray.exe
(Description: AOL system tray icon. Not necessary. Removing this entry will free up a small amount of system resources.)

O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
(Description: Microsoft Office Startup Assistant. This program loads some Microsoft Office components into memory, even if you're not currently using MS Office. Removing this unnecessary program will free up a considerable amount of system resources. )


Please reboot into safe mode (continually tap the F8 key while your system is starting, select Safe Mode from the menu).
Be sure you're able to view hidden files, and remove the following files in bold (if found):

C:\WINDOWS\system32\appqk.dll
C:\Program Files\MSN Apps\
C:\Program Files\Spyware Stormer\
C:\Program Files\MyWebSearch\

Please delete your temporary files. Double Click My Computer (WinXP: Navigate to Start --->My Computer)
You will see an icon representing your harddrive (most likely C: Drive) Right Click on the hard drive icon and click Properties at the
bottom of the fly out window. One the very first tab (General) you will see a button labeled "Disk Cleanup"...click that button.
Make sure the following are checked:
Downloaded Program Files
Temporary Internet Files and
Recycle Bin
Click OK and Disk Cleanup will delete those files for you.

REboot and post a new log. :tazz:
  • 0

#4
Goodfox
Posted 23 February 2005 - 02:31 PM

Goodfox

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
K heres the new log the virus is still here, anything else i could do?



Logfile of HijackThis v1.99.1
Scan saved at 20:27:07, on 23/02/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\Ati2evxx.exe
C:\WINDOWS\System32\drivers\CDAC11BA.EXE
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\BT Digital Access USB\vstartx.exe
C:\Program Files\BT Digital Access USB\gisdnlog.exe
C:\Program Files\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
C:\WINDOWS\wanmpsvc.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\WINDOWS\netna.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\DSentry.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe
C:\Program Files\BT Digital Access USB\gsyno.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\QuickTime\qttask.exe
C:\WINDOWS\system32\cram.exe
C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe
C:\Program Files\Digital Line Detect\DLG.exe
C:\Program Files\FinePixViewer\QuickDCF.exe
C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\system32\wuauclt.exe
C:\Documents and Settings\Tom\Desktop\HijackThis.exe
C:\WINDOWS\system32\wuauclt.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://www.euro.dell...gen/default.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\imlyi.dll/sp.html#22776
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\imlyi.dll/sp.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\imlyi.dll/sp.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\imlyi.dll/sp.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\imlyi.dll/sp.html#22776
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\imlyi.dll/sp.html#22776
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = https://loginnet.pas...uth.srf?lc=1033
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Tiscali 10.0
R3 - Default URLSearchHook is missing
O2 - BHO: (no name) - {B4CC47DF-B9D9-5967-E16B-51A675B6C681} - C:\WINDOWS\addui.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: &Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Messenger\ycomp.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [ATIPTA] C:\Program Files\ATI Technologies\ATI Control Panel\atiptaxx.exe
O4 - HKLM\..\Run: [diagent] "C:\Program Files\Creative\SBLive\Diagnostics\diagent.exe" startup
O4 - HKLM\..\Run: [DVDSentry] C:\WINDOWS\System32\DSentry.exe
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "C:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [AdaptecDirectCD] "C:\Program Files\Roxio\Easy CD Creator 5\DirectCD\DirectCD.exe"
O4 - HKLM\..\Run: [GazelDisplay] "C:\Program Files\BT Digital Access USB\gsyno.exe" -h
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [cram.exe] C:\WINDOWS\system32\cram.exe
O4 - HKLM\..\Run: [AOL Spyware Protection] "C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\AOLSP Scheduler.exe"
O4 - HKLM\..\Run: [REGSHAVE] C:\Program Files\REGSHAVE\REGSHAVE.EXE /AUTORUN
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - Global Startup: Digital Line Detect.lnk = ?
O4 - Global Startup: Exif Launcher.lnk = ?
O4 - Global Startup: InterCheck Monitor.LNK = C:\Program Files\Sophos SWEEP for NT\ICMON.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\PROGRA~1\Yahoo!\MESSEN~1\YPager.exe
O9 - Extra button: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: @C:\Program Files\Messenger\Msgslang.dll,-61144 - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ppctlcab - http://www.pestscan....er/ppctlcab.cab
O16 - DPF: Yahoo! Blackjack - http://download.game...nts/y/jt0_x.cab
O16 - DPF: Yahoo! Chess - http://download.game...nts/y/ct2_x.cab
O16 - DPF: Yahoo! Cribbage - http://download.game...nts/y/it1_x.cab
O16 - DPF: Yahoo! Gin - http://download.game...nts/y/nt1_x.cab
O16 - DPF: Yahoo! Go Fish - http://download.game...nts/y/zt3_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...ry/msgrchkr.cab
O16 - DPF: {11260943-421B-11D0-8EAC-0000C07D88CF} (iPIX ActiveX Control) - http://www.ipix.com/download/ipixx.cab
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...MineSweeper.cab
O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab
O16 - DPF: {74D05D43-3236-11D4-BDCD-00C04F9A3B61} (HouseCall Control) - http://a840.g.akamai...all/xscan53.cab
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...StatsClient.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {AE1C01E3-0283-11D3-9B3F-00C04F8EF466} (HeartbeatCtl Class) - http://fdl.msn.com/z...s/heartbeat.cab
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} (PopCapLoader Object) - http://download.game...aploader_v5.cab
O23 - Service: AOL Spyware Protection Service (AOLService) - Unknown owner - C:\PROGRA~1\COMMON~1\AOL\AOLSPY~1\\aolserv.exe
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: C-DillaCdaC11BA - C-Dilla Ltd - C:\WINDOWS\System32\drivers\CDAC11BA.EXE
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: BT Digital Access USB start up (Gazel Startup) - Unknown owner - C:\Program Files\BT Digital Access USB\vstartx.exe" /s (file missing)
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\System32\GEARSEC.EXE
O23 - Service: ISDN connection log (GisdnLog) - Unknown owner - C:\Program Files\BT Digital Access USB\gisdnlog.exe" -s (file missing)
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton AntiVirus\navapsvc.exe
O23 - Service: Intel NCS NetService (NetSvc) - Intel® Corporation - C:\Program Files\Intel\NCS\Sync\NetSvc.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sophos Anti-Virus Network (SweepNet) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWNETSUP.EXE
O23 - Service: Sophos Anti-Virus (SWEEPSRV.SYS) - Sophos Plc - C:\Program Files\Sophos SWEEP for NT\SWEEPSRV.SYS
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
O23 - Service: WAN Miniport (ATW) Service (WANMiniportService) - America Online, Inc. - C:\WINDOWS\wanmpsvc.exe
O23 - Service: Remote Procedure Call (RPC) Helper (%AF夶À¨) - Unknown owner - C:\WINDOWS\netna.exe
  • 0

#5
coachwife6
Posted 23 February 2005 - 04:36 PM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Run Hijack This.

Click config -> Misc Tools -> Open ADS spy -> Uncheck quickscan -> Click Scan -> Save log. And post back with your results.
  • 0

#6
Goodfox
Posted 23 February 2005 - 05:20 PM

Goodfox

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
k this is what i got

C:\Program Files\Webroot\Spy Sweeper\Quarantine\F_aconti[1]__exe.spy : ornqp (26802 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0001009.exe : echny (11236 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0001009.exe : ghdwb (7305 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0002038.INI : hslad (3063 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0002039.dll : ztwnx (56832 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0002045.DLL : msnth (11591 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0002046.dll : wuyld (11388 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0002050.ini : ogznq (10240 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0002057.dll : jmkml (56832 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0002058.dll : sfywl (70144 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0002059.dll : owxtc (11388 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0002062.EXE : ggukg (56320 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0002063.ini : jwsne (11591 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0002064.dll : pdzir (11388 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0002065.OLD : wjtsf (0 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0002068.sys : chuqc (11591 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0002070.dll : esoqi (0 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0002072.INI : ookqh (11591 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0002073.dll : rjggy (56320 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0002100.dll : hgmhc (11236 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0002137.dll : bvwiux (68096 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0002178.dll : gjplx (7305 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0002753.dll : wirrs (103409 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0002754.dll : snfdw (103409 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0003752.dll : wirrs (103409 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0003754.dll : snfdw (103409 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0004752.dll : wirrs (103409 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0004754.dll : snfdw (103409 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0005752.dll : wirrs (0 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0005754.dll : snfdw (0 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0006752.dll : wirrs (103409 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP1\A0006754.dll : snfdw (0 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0006775.dll : snfdw (103409 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0006806.dll : wirrs (103409 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0006849.dll : wirrs (103409 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0006851.dll : snfdw (103409 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0007852.dll : wirrs (0 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0007854.dll : snfdw (0 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0008852.dll : wirrs (0 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0008854.dll : snfdw (0 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0009852.dll : wirrs (103409 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0009861.dll : wirrs (103409 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP2\A0009866.dll : snfdw (103409 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0009900.dll : snfdw (103409 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0009901.dll : wirrs (103409 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0009916.dll : hoqnik (11236 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0009916.dll : ndwlu (11591 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0009917.INI : gdpqp (11388 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0009917.INI : sqtgef (30644 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0009968.dll : wirrs (103409 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0009970.dll : snfdw (103409 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0010968.dll : wirrs (0 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0010970.dll : snfdw (103409 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0011968.dll : wirrs (103409 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0011970.dll : snfdw (103409 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0012968.dll : wirrs (103409 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0013968.dll : wirrs (103409 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0013970.dll : snfdw (103409 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0014968.dll : wirrs (103409 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0014970.dll : snfdw (103409 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0014988.dll : wirrs (103409 bytes)
C:\System Volume Information\_restore{B37680B2-BA0A-4E5D-BF30-83E44C588624}\RP3\A0014990.dll : snfdw (103409 bytes)
C:\WINDOWS\$NtServicePackUninstall$\explorer.exe : jcuww (11591 bytes)
C:\WINDOWS\$NtServicePackUninstall$\regedit.exe : ocbpc (11388 bytes)
C:\WINDOWS\$NtServicePackUninstall$\twain_32.dll : aekae (11236 bytes)
C:\WINDOWS\addsg32.exe : hzuxsk (11236 bytes)
C:\WINDOWS\aolback.exe.lnk : guwjf (11236 bytes)
C:\WINDOWS\Blue Lace 16.bmp : zqipp (11236 bytes)
C:\WINDOWS\BOOTSTAT.DAT : ecoaug (7305 bytes)
C:\WINDOWS\BOOTSTAT.DAT : fqzyu (10240 bytes)
C:\WINDOWS\BOOTSTAT.DAT : iwgnk (7305 bytes)
C:\WINDOWS\BOOTSTAT.DAT : meukhf (55808 bytes)
C:\WINDOWS\BOOTSTAT.DAT : uvjgv (11591 bytes)
C:\WINDOWS\CAPI2032.DLL : axytm (3347 bytes)
C:\WINDOWS\CAPI2032.DLL : oyzxiv (11592 bytes)
C:\WINDOWS\CLOCK.AVI : fouzs (3347 bytes)
C:\WINDOWS\CLOCK.AVI : qskjj (26802 bytes)
C:\WINDOWS\CLOCK.AVI : tyryg (56320 bytes)
C:\WINDOWS\crby32.dll : javvys (7305 bytes)
C:\WINDOWS\crby32.dll : qqxjo (55808 bytes)
C:\WINDOWS\crds32.dll : ofjjiu (11236 bytes)
C:\WINDOWS\crvj32.dll : zgtpcx (30644 bytes)
C:\WINDOWS\crvt32(2).exe : jcncl (26802 bytes)
C:\WINDOWS\crvt32(2).exe : legiul (11236 bytes)
C:\WINDOWS\crvt32(2).exe : ltlgg (26802 bytes)
C:\WINDOWS\crvt32.exe : jcncl (26802 bytes)
C:\WINDOWS\crvt32.exe : ltlgg (26802 bytes)
C:\WINDOWS\EPSTPLOG.BAK : zhcxm (26802 bytes)
C:\WINDOWS\EXPLORER.SCF : otuyf (11236 bytes)
C:\WINDOWS\FaxSetup.log : cdnbq (7305 bytes)
C:\WINDOWS\FeatherTexture.bmp : gledh (30644 bytes)
C:\WINDOWS\hgpqp.dat : ubpno (7305 bytes)
C:\WINDOWS\hh.exe : potopl (11592 bytes)
C:\WINDOWS\hkgal.txt : kaeauc (11236 bytes)
C:\WINDOWS\ic.ini : apwylx (3567 bytes)
C:\WINDOWS\icccodes.dll : pufog (26802 bytes)
C:\WINDOWS\iczbp.txt : vtpkqp (30644 bytes)
C:\WINDOWS\iega32.dll : tqadbr (11236 bytes)
C:\WINDOWS\iels.dll : lrlieb (11236 bytes)
C:\WINDOWS\iels.dll : saehp (11236 bytes)
C:\WINDOWS\ietq.dll : skoywu (7471 bytes)
C:\WINDOWS\ieui32.dll : vsdnym (30644 bytes)
C:\WINDOWS\ieuninst.exe : qpuerk (11236 bytes)
C:\WINDOWS\ieuv32.dll : wirrs (103409 bytes)
C:\WINDOWS\ieyu32.dll : ltxmr (30644 bytes)
C:\WINDOWS\imsins.log : aknpj (30644 bytes)
C:\WINDOWS\inikt.dat : drqxuv (11236 bytes)
C:\WINDOWS\INRES.DLL : hsofz (11236 bytes)
C:\WINDOWS\INRES.DLL : lujjio (11236 bytes)
C:\WINDOWS\ipia32.dll : vracoy (30644 bytes)
C:\WINDOWS\ipixActivex.ini : tkfrzf (11236 bytes)
C:\WINDOWS\IsUninst.exe : xkrea (30644 bytes)
C:\WINDOWS\jautoexp.dat : tdbgh (11236 bytes)
C:\WINDOWS\jautoexp.dat : xycxs (3347 bytes)
C:\WINDOWS\javatj32.dll : tbozl (30644 bytes)
C:\WINDOWS\KB821557.log : akquz (30644 bytes)
C:\WINDOWS\kpsys32.dll : vptgv (11236 bytes)
C:\WINDOWS\mfcoj32.dll : hoqnik (11236 bytes)
C:\WINDOWS\mfcoj32.dll : ndwlu (11591 bytes)
C:\WINDOWS\MIXDEF.INI : gdpqp (11388 bytes)
C:\WINDOWS\MIXDEF.INI : sqtgef (30644 bytes)
C:\WINDOWS\ModemLog_Conexant SmartHSFi V92 56K Speakerphone PCI Modem #2.txt : qpdfm (11591 bytes)
C:\WINDOWS\ModemLog_Conexant SmartHSFi V92 56K Speakerphone PCI Modem #2.txt : vwpxpx (11592 bytes)
C:\WINDOWS\ModemLog_Conexant SmartHSFi V92 56K Speakerphone PCI Modem.txt : gyrtm (11236 bytes)
C:\WINDOWS\MSDFMAP.INI : gyshms (3567 bytes)
C:\WINDOWS\MSGSOCM.LOG : bqgpb (3347 bytes)
C:\WINDOWS\MSGSOCM.LOG : cbydgz (11236 bytes)
C:\WINDOWS\MSGSOCM.LOG : jzuei (30644 bytes)
C:\WINDOWS\MSGSOCM.LOG : thhpc (10240 bytes)
C:\WINDOWS\msla.exe : trzvd (55808 bytes)
C:\WINDOWS\msla.exe : ucjjaj (30644 bytes)
C:\WINDOWS\netdl.dll : ujbcy (30644 bytes)
C:\WINDOWS\netql.dll : rsoqmc (11236 bytes)
C:\WINDOWS\notepad.exe : jshvgm (30644 bytes)
C:\WINDOWS\ntgs.dll : uhrcg (11236 bytes)
C:\WINDOWS\n_dxypem.txt : phspdb (11236 bytes)
C:\WINDOWS\n_tvzicr.txt : thnpzh (11592 bytes)
C:\WINDOWS\n_zyehkf.dat : liyvtr (7471 bytes)
C:\WINDOWS\OCMSN.LOG : ejrawc (3567 bytes)
C:\WINDOWS\ODBC.INI : riuuz (3347 bytes)
C:\WINDOWS\oeuninst.exe : rqkbb (56832 bytes)
C:\WINDOWS\oeuninst.exe : rwkzh (10240 bytes)
C:\WINDOWS\OEWABLog.txt : wjjnqe (64000 bytes)
C:\WINDOWS\P16x.ini : bwlaz (11388 bytes)
C:\WINDOWS\P16x.ini : xwovu (10240 bytes)
C:\WINDOWS\phllt.dat : pbaoy (11236 bytes)
C:\WINDOWS\POCE98.DLL : mzcvtm (11592 bytes)
C:\WINDOWS\POCE98.DLL : obboz (26802 bytes)
C:\WINDOWS\POCE98.DLL : uxdft (3362 bytes)
C:\WINDOWS\Prefetch\ZSRFG.DAT : CPINS-39625A87.pf (8186 bytes)
C:\WINDOWS\preInMPP.exe : hbtua (30644 bytes)
C:\WINDOWS\ptccs.txt : uyyfag (0 bytes)
C:\WINDOWS\pzxad.dll : xafgpz (7305 bytes)
C:\WINDOWS\Q327979.log : fzjpwt (0 bytes)
C:\WINDOWS\Q327979.log : hesnl (3063 bytes)
C:\WINDOWS\Q327979.log : pbytjj (3547 bytes)
C:\WINDOWS\Q327979.log : ycezv (11591 bytes)
C:\WINDOWS\Q329048.log : ibjymt (68096 bytes)
C:\WINDOWS\Q329048.log : pcuij (10240 bytes)
C:\WINDOWS\Q329048.log : zfcsg (56832 bytes)
C:\WINDOWS\Q329115.log : yabvqe (0 bytes)
C:\WINDOWS\Q329441.log : bcabz (10240 bytes)
C:\WINDOWS\Q329441.log : jwhss (3063 bytes)
C:\WINDOWS\Q329441.log : qbmiso (0 bytes)
C:\WINDOWS\Q329909.log : avftg (26802 bytes)
C:\WINDOWS\Q330994.exe : cwaxm (56832 bytes)
C:\WINDOWS\Q330994.exe : tdtgt (26802 bytes)
C:\WINDOWS\Q816979.log : fgdju (7305 bytes)
C:\WINDOWS\Q816981.log : rzubw (11236 bytes)
C:\WINDOWS\Q817287.log : kigre (26624 bytes)
C:\WINDOWS\Q817287.log : xgoow (3347 bytes)
C:\WINDOWS\REGLOCS(10).OLD : wjtsf (26802 bytes)
C:\WINDOWS\REGLOCS(11).OLD : wjtsf (26802 bytes)
C:\WINDOWS\REGLOCS(12).OLD : nupin (11236 bytes)
C:\WINDOWS\REGLOCS(12).OLD : wjtsf (26802 bytes)
C:\WINDOWS\REGLOCS(13).OLD : wjtsf (26802 bytes)
C:\WINDOWS\REGLOCS(14).OLD : wjtsf (26802 bytes)
C:\WINDOWS\REGLOCS(2).OLD : wjtsf (26802 bytes)
C:\WINDOWS\REGLOCS(3).OLD : wjtsf (26802 bytes)
C:\WINDOWS\REGLOCS(4).OLD : wjtsf (26802 bytes)
C:\WINDOWS\REGLOCS(5).OLD : wjtsf (26802 bytes)
C:\WINDOWS\REGLOCS(5).OLD : ywsbj (30644 bytes)
C:\WINDOWS\REGLOCS(6).OLD : wjtsf (26802 bytes)
C:\WINDOWS\REGLOCS(7).OLD : wjtsf (26802 bytes)
C:\WINDOWS\REGLOCS(8).OLD : wjtsf (26802 bytes)
C:\WINDOWS\REGLOCS(9).OLD : wjtsf (26802 bytes)
C:\WINDOWS\REGOPT.LOG : vkuok (11236 bytes)
C:\WINDOWS\rxoay.txt : ruyxnb (11236 bytes)
C:\WINDOWS\Santa Fe Stucco.bmp : gmxgg (26802 bytes)
C:\WINDOWS\Santa Fe Stucco.bmp : zdfaq (56832 bytes)
C:\WINDOWS\SBWIN.INI : nsiebq (11592 bytes)
C:\WINDOWS\SchedLgU.Txt : kurdhm (30644 bytes)
C:\WINDOWS\sdkxo32.dll : wwckuz (11236 bytes)
C:\WINDOWS\sdkxr32.exe : qqqtcw (68096 bytes)
C:\WINDOWS\sdkxr32.exe : rksqnu (30644 bytes)
C:\WINDOWS\sessmgr.setup.log : xbqbf (26802 bytes)
C:\WINDOWS\SETUPLOG.TXT : hwkis (26802 bytes)
C:\WINDOWS\srcjs.dll : kywxn (3347 bytes)
C:\WINDOWS\TSOC.LOG : odombr (30644 bytes)
C:\WINDOWS\TWUNK_32.EXE : tfcfy (30644 bytes)
C:\WINDOWS\uyume.dll : blasi (96557 bytes)
C:\WINDOWS\VB.INI : wtqja (26802 bytes)
C:\WINDOWS\WIASERVC.LOG : xcass (30644 bytes)
C:\WINDOWS\Will.acl : cpvbr (30644 bytes)
C:\WINDOWS\Will.acl : ziobd (3347 bytes)
C:\WINDOWS\WIN.INI : cpxan (56832 bytes)
C:\WINDOWS\WIN.INI : lhqzi (97100 bytes)
C:\WINDOWS\WINHELP.EXE : ljvhl (30644 bytes)
C:\WINDOWS\WINHELP.EXE : pyhko (10240 bytes)
C:\WINDOWS\WINNT.BMP : cnhlc (30644 bytes)
C:\WINDOWS\WINNT256.BMP : gpvbqc (11591 bytes)
C:\WINDOWS\wmsetup.log : rqfaq (11236 bytes)
C:\WINDOWS\xraauk.dat : csikn (30644 bytes)
C:\WINDOWS\xraauk.dat : dzert (11591 bytes)
C:\WINDOWS\ywhnc.dll : snfdw (103409 bytes)
C:\WINDOWS\zbdhpf.dat : ighedw (7305 bytes)
C:\WINDOWS\zbdhpf.dat : mdaooj (11236 bytes)
C:\WINDOWS\zgcpcl.dat : sviio (30644 bytes)
C:\WINDOWS\zondo.dll : rksvu (3347 bytes)
C:\WINDOWS\zsrfg.dat : cpins (11236 bytes)
C:\WINDOWS\_DEFAULT.PIF : erapg (11591 bytes)
C:\WINDOWS\_DEFAULT.PIF : sutmp (26802 bytes)
  • 0

#7
Goodfox
Posted 24 February 2005 - 02:46 AM

Goodfox

    Member

  • Topic Starter
  • Member
  • PipPip
  • 13 posts
now what can i do
  • 0

#8
coachwife6
Posted 24 February 2005 - 03:45 AM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
working on it.
  • 0

#9
coachwife6
Posted 24 February 2005 - 10:02 AM

coachwife6

    SuperStar

  • Retired Staff
  • 11,413 posts
Turn off system restore.

To reset your restore points, please note that you will need to log into your computer with an account which has full administrator access. You will know if the account has administrator access because you will be able to see the System Restore tab. If the tab is missing, you are logged in under a limited account.

(Windows XP)
1. Turn off System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
Check Turn off System Restore.
Click Apply, and then click OK.

2. Reboot.

3. Turn ON System Restore.
On the Desktop, right-click My Computer.
Click Properties.
Click the System Restore tab.
UN-Check *Turn off System Restore*.
Click Apply, and then click OK.

How to Turn On and Turn Off System Restore in Windows XP
http://support.micro...kb;en-us;310405


Download the newest version of about buster at

http://malwarebytes....AboutBuster.zip

and unzip it to a folder.

Inside the folder is a readme file that has instructions on the use of the program.
AboutBuster MUST be updated before you use it.
Start AboutBuster, click the update button, check for update, drag the box to the side and hit download updates, close the box . Don't run it yet.


Please download and install http://www.lavasoftu...pport/download/.
Check http://russelltexas....e/adawarese.htm on how setup and use it - please make sure you update it first.

Download and unzip cwsserviceremove to your desktop. use either link below:
http://computercops....ownload&id=3002
http://www.mytechsup...rviceremove.zip


Download CW-Shredder at the link below:
http://cwshredder.ne.../CWShredder.exe

Open Windows Explorer & Go to Tools > Folder Options. Click on the View tab and make sure that "Show hidden files and folders" is checked.
Also uncheck "Hide protected operating system files" and untick "hide extensions for known file types" . Now click "Apply to all folders"
Click "Apply" then "OK"

For anyone using Windows XP, 'Search' will not automatically show hidden files even if your folder options settings are set to do that. Do this so you can see hidden files and folders - click here http://www.davehigha...ds/xphidden.zip to download xphidden.zip. Extract xphidden.reg from the zip file and save it to the desktop. When done, double-click the xphidden.reg and when asked to merge say yes.

Here's the fix:

Important Step
1. Go to Start->Run and type "Services.msc" (without quotes) then hit Ok
Scroll down and find the service called:
Remote Procedure Call (RPC) Helper


When you find it, double-click on it. In the next window that opens, click the Stop button, then click on properties and under the General Tab, change the Startup Type to Disabled. Now hit Apply and then Ok and close any open windows. If you don´t find this service listed go ahead with the next steps.

2. Reboot into SafeMode. <---MAKE SURE YOU KNOW HOW TO DO THIS!!

3. Press Ctrl+Alt+Delete once => Click Task Manager => Click the Processes tab => Double-click the Image Name column header to alphabetically sort the processes => Scroll through the list and look for:

netna.exe


If you find the files, click on them, and then click End Process => Exit the Task Manager.

4. CLOSE ALL WINDOWS AND BROWSERS Scan with Hijack This and put checks next to all the following, then click "Fix Checked"

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\imlyi.dll/sp.html#22776
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\imlyi.dll/sp.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = res://C:\WINDOWS\imlyi.dll/sp.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\WINDOWS\imlyi.dll/sp.html#22776
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = res://C:\WINDOWS\imlyi.dll/sp.html#22776
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = res://C:\WINDOWS\imlyi.dll/sp.html#22776

R3 - Default URLSearchHook is missing

O2 - BHO: (no name) - {B4CC47DF-B9D9-5967-E16B-51A675B6C681} - C:\WINDOWS\addui.dll

O16 - DPF: {70BA88C8-DAE8-4CE9-92BB-979C4A75F53B} (GSDACtl Class) - http://launch.gamesp...nch/alaunch.cab

O23 - Service: Remote Procedure Call (RPC) Helper (%AF夶À¨) - Unknown owner - C:\WINDOWS\netna.exe

5. Delete the following files if present:
C:\WINDOWS\imlyi.dll
C:\WINDOWS\addui.dll
C:\WINDOWS\netna.exe


If you get an error when deleting a file. Right click on the file and check to see if the read only attribute is checked. if it is uncheck it and try again.


(and any other files with the same name that end in .dll, .exe or .dat, you may find them right next to each other, example - appsw.exe, appsw.dll, appsw.dat)

6. Run AboutBuster . This will scan your computer for the bad files and delete them. Save the report (copy and paste into notepad or wordpad and save as a .txt file) and post a copy back here when you are done with all the steps.

7. Scan with AdAware and let it remove any bad files found.

8. Clean out temporary and TIF files. Go to Start > Run and type in the box: cleanmgr. Let it scan your system for files to remove. Make sure these 3 are checked and then press *ok* to remove:
[b]
Temporary Files
Temporary Internet Files
Recycle Bin

9. Double click on the cwsserviceremove and when asked to merge say yes.

10. Run CW-Shredder - Hit the FIX button - let it run and fix what it finds.

11. Reboot into normal mode.

Delete this folder if still present: C:\Program Files\TimeSink

12. Download the Hoster from here http://members.aol.c...dbee/hoster.zip. Press "Restore Original Hosts" and press "OK". Exit Program.

13. Download and run this online virus scan:
http://housecall.tre.../start_corp.asp
Make sure you check "AutoClean"


14. Reboot and post a fresh HJT log back here by using the add reply button below, and lets see how we did.

Big Thanks to Mr. C for the fix. :tazz:
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP