Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

Winfixer popups!

Started by Lisax06x , May 15 2006 12:47 PM

Please log in to reply

#1
Lisax06x

Posted 15 May 2006 - 12:47 PM

Member

Member
10 posts

My computer has been infected by a Winfixer virus.
Whenever i access any webpage, numerous popups come up and i cant seem to get rid of it. Can u please tell me if theres anything harmful in my hijackthis log. Or maybe tell me a solution to this winfixer problem? its driving me crazy! Thanks for reading! hope u can help.

Logfile of HijackThis v1.99.1
Scan saved at 19:40:40, on 15/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\vsnpt513.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\defender19a.exe
C:\Program Files\Common Files\AOL\1132492421\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1132492421\ee\AOLServiceHost.exe
C:\WINDOWS\cfg32.exe
C:\WINDOWS\CCZoop05.exe
C:\WINDOWS\sys11-1799744824.exe
c:\program files\common files\aol\1132492421\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1132492421\ee\AOLServiceHost.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\KCeasy\KCeasy.exe
C:\Program Files\Common Files\svchostsys\svchostsys.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\KCeasy\giFT\giFTl.exe
C:\WINDOWS\cfg32a.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Documents and Settings\Lisa\Desktop\lcdqw782\Crack\QuickWiper.exe
C:\DOCUME~1\Lisa\LOCALS~1\Temp\Temporary Directory 1 for hijackthis.zip\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://soft-trend.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://soft-trend.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\hqpig.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,smvmqlj.exe
O4 - HKLM\..\Run: [Dgu] C:\WINDOWS\System32\Rsh.exe
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [Icc] C:\WINDOWS\System32\Msg.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SNPT513] C:\WINDOWS\vsnpt513.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [] winlog.exe
O4 - HKLM\..\Run: [MsMovies] C:\Program Files\MsMovies\MsMovies.exe /auto
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1132492421\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [defender] C:\\defender19a.exe
O4 - HKLM\..\Run: [keyboard] C:\\keyboard19.exe
O4 - HKLM\..\Run: [newname] C:\\newname19.exe
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKLM\..\Run: [TheMonitor] C:\WINDOWS\CCZoop05.exe
O4 - HKLM\..\Run: [sys11-1799744824] C:\WINDOWS\sys11-1799744824.exe
O4 - HKLM\..\RunServices: [] winlog.exe
O4 - HKCU\..\Run: [filecroc] "C:\Program Files\FileCroc\FileCroc.exe" -h
O4 - HKCU\..\Run: [KCeasy] C:\Program Files\KCeasy\KCeasy.exe /hide
O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm (file missing)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1125103750250
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.app.../ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA74F2E4-F118-47DE-B753-A5E7B89C3E17}: NameServer = 205.188.146.145
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O21 - SSODL: NTDBGTOOL - {2609297E-A16E-4666-B84F-3901159D3053} - C:\WINDOWS\System32\neteinst.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AutoComplete Service (Autocomplete) - Unknown owner - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: Network Monitor - Unknown owner - C:\Program Files\Network Monitor\netmon.exe (file missing)
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#2
Noviciate

Posted 15 May 2006 - 01:28 PM

Confused Helper

Malware Removal
1,567 posts

I am in the process of reviewing your log - I will post a reply as soon as I am able.

#3
Noviciate

Posted 15 May 2006 - 01:33 PM

Confused Helper

Malware Removal
1,567 posts

IMPORTANT
You are running HJT from an unsafe location - it should be unzipped into a folder of its own.
A brief explanation can be found here.
If you do not know how to use the Windows XP Extraction Wizard, a tutorial is available here.
Please do this before you proceed. If you have any questions, please ask.
This IS important, so don't be tempted to skip it!

--------------------------------------------------------------------------------------------------------------------------------

When you have attended to the above, read on...

You will need to make a copy of these instructions because you have to disconnect from the internet to complete the fix. Either print them out or copy and paste them into Notepad.

Preparation

1) Download the trial version of Ewido Anti-Malware from here and save it to your Desktop.
When the download has finished, locate ewido-setup.exe and double click it to begin installation.
** If you already have Ewido installed, update it and go to 2) **

In the 'Additional Options' window, uncheck:
'Install required for automatic updates (background guard)'.

When installation is complete, you will need to update Ewido to the latest definition files.
To do this:
Double click the Ewido Desktop icon.
In the main screen, on the left hand side, click Update.
In the following screen, click Start Update

A progress bar will show how the update is going. When it has finished updating, close it.

If you have problems with the updater, you can manually update Ewido.
Click here and save ewido-signatures-full-current.exe to your Desktop.
All you need to do then is to double-click it, click Install and then, when it has finished, Close.

Ewido Anti-Malware is designed to be used to both scan for and remove malicious files and also to run alongside, but not replace, your existing anti-virus program to give an added layer of protection.
However, as the real-time protection may interfere with the fixing of your PC, this function will have been disabled as long as you followed the installation instructions correctly.
At the end of the trial period, Ewido will revert to a stand-alone scanner which you can keep and update for free and use in a similar way to Ad-Aware SE Personal.
Should you wish to benefit from the real-time protection, you will need to upgrade the program. To do this, simply open it and click on the Buy now online button.

2) Download bfu.zip - (Brute Force Uninstaller©Merijn) from here and save it to your Desktop.
You will need to unzip it. To do this: Right click on the zipped folder and from the menu that appears, click on Extract All...
In the 'Extraction Wizard' window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish
You should now see the contents of the bfu folder - BFU.exe.

Double click BFU.exe to run it. When the "Brute Force Uninstaller" window appears, click the "globe" icon in the top right hand corner.
In the "Download BFU script..." window, copy and paste the following and then click OK:

http://metallica.geekstogo.com/alcanshorty.bfu

You should see the file alcanshorty.bfu appear in the bfu folder next to BFU.exe.

Close the folder for now - you will need to use it later.

3) You will need to set Windows to show All Hidden Files and Folders.
Instructions can be found here.
** These files are hidden to stop you accidentally removing something important.
It is advisable to hide them again after fixing your computer. **

4) You will need to know how to boot into Safe Mode.
Instructions can be found here.

5) Log off from the internet and disconnect your modem cable for the duration of the fix.

Removal

1) Boot into Safe Mode.

2) Run Ewido.
Click on Scanner.
Click on Complete System Scan and the scan will begin.
While the scan is in progress you will be prompted to clean files, click OK.
When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says 'Perform action with all infections' then choose clean and click OK.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report - click it.
Save the report.txt file to your desktop.

Now close Ewido Anti-Malware.

Warning: While the scan is in progress, DO NOT open any folders or the Windows Control Panel !!

3) Open the bfu folder and double click BFU.exe.
To select the scriptfile to execute, first double click the folder icon to the left of the globe.
You should now see a window containing alcanshorty.bfu, simply double click it.
Finally, click the Execute button to begin.

When the tool has finished running, you will get a "BFU" window with the message "Completed script execution", click on OK.

4) Navigate to the C:\Windows\Temp folder and delete all the files that you find there.
Do this for all Usernames.

5) Navigate to C:\Documents and Settings\Username\Local Settings\Temp and delete all the files that you find there.
Do this for all Usernames.

6) Go to Start > Control Panel > Internet Options and under Temporary Internet files, click on Delete Files...
Check the box to the left of 'Delete all offline content' and then click on OK.

7) Boot into Normal Mode.

Post a new HJT log, the Ewido log AND a description of how your PC is running.

Also, run HJT and click on Open the Misc Tools section.
In the next window, click on Open Uninstall Manager...
In the final window, click on Save list... and save it to your Desktop.
Copy and paste this file: uninstall_list.txt into your next reply.

#4
Lisax06x

Posted 16 May 2006 - 11:05 AM

Member

Topic Starter
Member
10 posts

Thank you for your quick reply and all your help. There has been no sign of winfixer since i followed your advice, although i am still getting popups on aol despite having my popup controls on, but maybe i should just download some extra security.

Here are my logs

ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 15:21:05, 16/05/2006
+ Report-Checksum: 1F4B1CAC

+ Scan result:

HKLM\SOFTWARE\Classes\CLSID\{5345A7A9-805A-4923-B505-86B2FEBA3FE0} -> Adware.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{962F12AE-2773-4BEB-99EA-B5C3AB9A6606} -> Adware.Generic : Cleaned with backup
HKLM\SOFTWARE\Classes\CLSID\{EE86F11E-08FB-4B20-B175-7726C63DF9E9} -> Hijacker.Generic : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Internet Explorer\Main\ins -> Adware.WebRebates : Cleaned with backup
HKU\S-1-5-21-3646499915-2529006832-1698683601-1011\Software\Microsoft\Internet Explorer\URLSearchHooks\{944864A5-3916-46E2-96A9-A2E84F3F1208} -> Adware.Accoona : Cleaned with backup
HKU\S-1-5-21-3646499915-2529006832-1698683601-1011\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{0D2DEF3A-F4F1-42EC-AC4F-132E7BA6E292} -> Adware.MWSearch : Cleaned with backup
HKU\S-1-5-21-3646499915-2529006832-1698683601-1011\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{364B6276-C6C1-40B6-A6D7-6C48871FD707} -> Adware.Accoona : Cleaned with backup
HKU\S-1-5-21-3646499915-2529006832-1698683601-1011\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{5345A7A1-805A-4923-B505-86B2FEBA3FE0} -> Adware.Generic : Cleaned with backup
HKU\S-1-5-21-3646499915-2529006832-1698683601-1011\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{944864A5-3916-46E2-96A9-A2E84F3F1208} -> Adware.Accoona : Cleaned with backup
HKU\S-1-5-21-3646499915-2529006832-1698683601-1011\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{A19EF336-01D4-48E6-926A-FE7E1C747AED} -> Adware.MWSearch : Cleaned with backup
HKU\S-1-5-21-3646499915-2529006832-1698683601-1011\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{DA7FF3F8-08BE-4CAC-BC00-94D91C6AE7F4} -> Adware.MWSearch : Cleaned with backup
HKU\S-1-5-21-3646499915-2529006832-1698683601-1011\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{F65B197F-8260-4D52-909A-F70118E646EB} -> Adware.MWSearch : Cleaned with backup
HKU\S-1-5-21-3646499915-2529006832-1698683601-1011\Software\Microsoft\Windows\CurrentVersion\Ext\Stats\{FFF4E223-7019-4CE7-BE03-D7D3C8CCE884} -> Adware.Shorty : Cleaned with backup
[748] C:\WINDOWS\system32\xoxewot.dll -> Downloader.Qoologic.bj : Cleaned with backup
C:\503_617.exe -> Trojan.Small : Cleaned with backup
C:\AntiVirScan.exe -> Worm.VB.dy : Cleaned with backup
C:\bac.exe -> Worm.VB.dy : Cleaned with backup
C:\bac2.exe -> Worm.VB.dy : Cleaned with backup
C:\defender19a.exe -> Hijacker.VB.nh : Cleaned with backup
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20060514141803.zip/WINDOWS/NDNuninstall6_38.exe -> Adware.NewDotNet : Cleaned with backup
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20060514141803.zip/WINDOWS/NDNuninstall7_22.exe -> Adware.NewDotNet : Cleaned with backup
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20060515144334.zip/Program Files/webhancer/programs/whagent.exe -> Adware.WebHancer : Cleaned with backup
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20060515144334.zip/Program Files/webhancer/programs/whiehlpr.dll -> Adware.WebHancer : Cleaned with backup
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20060515144334.zip/Program Files/webhancer/whAgent_update.exe/whAgent.exe -> Adware.WebHancer : Cleaned with backup
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20060515144334.zip/Program Files/webhancer/programs/whsurvey.exe -> Adware.WebHancer : Cleaned with backup
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20060515144334.zip/Program Files/webhancer/Programs/webhdll.dll -> Adware.WebHancer : Cleaned with backup
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20060515144334.zip/Program Files/webhancer/programs/whiehlpr.to_be_deleted -> Adware.WebHancer : Cleaned with backup
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20060515144334.zip/Program Files/webhancer/Programs/whinstaller.exe -> Adware.WebHancer : Cleaned with backup
C:\Documents and Settings\All Users\Application Data\AOL\UserProfiles\All Users\antiSpyware\dat\Quarantine\20060515144334.zip/Program Files/webhancer/programs/webhdll.to_be_deleted_x -> Adware.WebHancer : Cleaned with backup
C:\Documents and Settings\David Jones\Local Settings\Temporary Internet Files\Content.IE5\KPSZOJKV\wbk59.tmp -> Not-A-Virus.Exploit.VBS.Phel.i : Cleaned with backup
C:\Documents and Settings\David Jones\Local Settings\Temporary Internet Files\Content.IE5\OJWLMN0P\wbk57.tmp -> Not-A-Virus.Exploit.VBS.Phel.i : Cleaned with backup
C:\Documents and Settings\Julie Jones\Cookies\julie [email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Julie Jones\Cookies\julie [email protected][2].txt -> TrackingCookie.Esomniture : Cleaned with backup
C:\Documents and Settings\Julie Jones\Cookies\julie jones@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned with backup
C:\Documents and Settings\Julie Jones\Local Settings\Temp\KPZ4.tmp/Program Files/webhancer/Programs/webhdll.to_be_deleted -> Adware.WebHancer : Error during cleaning
C:\Documents and Settings\Julie Jones\Local Settings\Temp\KPZ4.tmp/Program Files/webhancer/Programs/whiehlpr.to_be_deleted_x -> Adware.WebHancer : Error during cleaning
C:\Documents and Settings\Lisa\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Lisa\Cookies\[email protected][1].txt -> TrackingCookie.Searchingbooth : Cleaned with backup
C:\Documents and Settings\Lisa\Cookies\[email protected][1].txt -> TrackingCookie.Top-banners : Cleaned with backup
C:\Documents and Settings\Lisa\Cookies\lisa@revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\Lisa\Cookies\lisa@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\drsmartload1.exe -> Downloader.Adload.ap : Cleaned with backup
C:\drsmartload45a.exe -> Downloader.Adload.bj : Cleaned with backup
C:\drsmartload46a.exe -> Downloader.Adload.bi : Cleaned with backup
C:\Installer.exe -> Adware.Look2Me : Cleaned with backup
C:\keyboard19.exe -> Downloader.VB.ys : Cleaned with backup
C:\newname19.exe -> Downloader.VB.aci : Cleaned with backup
C:\NNSCAA638.EXE -> Adware.NewDotNet : Cleaned with backup
C:\Program Files\Common Files\misc001\webhc1.exe/whAgent.exe -> Adware.WebHancer : Error during cleaning
C:\Tagasaurus.exe -> Dropper.Agent.hl : Cleaned with backup
C:\VSL.dl_ -> Downloader.Small.ctp : Cleaned with backup
C:\WINDOWS\azesearch.bmp -> Adware.Azesearch : Cleaned with backup
C:\WINDOWS\drsmartload95a.exe -> Downloader.Adload.ai : Cleaned with backup
C:\WINDOWS\system32\ad.html -> Hijacker.Agent.e : Cleaned with backup
C:\WINDOWS\system32\dmonwv.dll -> Downloader.Agent.agw : Cleaned with backup
C:\WINDOWS\system32\wfnhr.dat -> Downloader.Qoologic.bj : Cleaned with backup
C:\WINDOWS\TGlzYSBKb25lcw\command.exe -> Adware.CommAd : Cleaned with backup
C:\WINDOWS\unwn.exe -> Trojan.Qoologic : Cleaned with backup
C:\WINDOWS\visfx500.exe -> Dropper.Agent.aie : Cleaned with backup

::Report End

Logfile of HijackThis v1.99.1
Scan saved at 18:01:25, on 16/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\vsnpt513.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\WINDOWS\cfg32.exe
C:\WINDOWS\sys11-1799744824.exe
C:\Program Files\KCeasy\KCeasy.exe
C:\Program Files\Common Files\AOL\1132492421\ee\AOLHostManager.exe
C:\Program Files\Common Files\svchostsys\svchostsys.exe
C:\Program Files\Common Files\AOL\1132492421\ee\AOLServiceHost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
c:\program files\common files\aol\1132492421\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1132492421\ee\AOLServiceHost.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\cfg32a.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\Program Files\KCeasy\giFT\giFTl.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://soft-trend.net
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://soft-trend.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\hqpig.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,smvmqlj.exe
O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll
O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\cfg32o.dll
O4 - HKLM\..\Run: [Dgu] C:\WINDOWS\System32\Rsh.exe
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [Icc] C:\WINDOWS\System32\Msg.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SNPT513] C:\WINDOWS\vsnpt513.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [] winlog.exe
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1132492421\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKLM\..\Run: [sys11-1799744824] C:\WINDOWS\sys11-1799744824.exe
O4 - HKLM\..\RunServices: [] winlog.exe
O4 - HKCU\..\Run: [filecroc] "C:\Program Files\FileCroc\FileCroc.exe" -h
O4 - HKCU\..\Run: [KCeasy] C:\Program Files\KCeasy\KCeasy.exe /hide
O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm (file missing)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1125103750250
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.app.../ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA74F2E4-F118-47DE-B753-A5E7B89C3E17}: NameServer = 205.188.146.145
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O21 - SSODL: NTDBGTOOL - {2609297E-A16E-4666-B84F-3901159D3053} - C:\WINDOWS\System32\neteinst.dll (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AutoComplete Service (Autocomplete) - Unknown owner - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Uninstall_list -

Adobe Illustrator 10 Tryout
Adobe Reader 6.0
Adobe SVG Viewer 3.0
Ahead Nero - Burning Rom
AMCap
AOL Coach Version 1.0(Build:20040229.1 uk)
AOL UK (Choose which version to remove)
ArcSoft PhotoImpression
AVI Codec Pack
BitLord 1.1
BT Voyager 105 ADSL Modem
BT Voyager Modem AOL Test
CC_ccProxyMSI
CC_ccStart
ccCommon
Codec Pack - All In 1 6.0.3.0
Corel Paint Shop Pro X
CyberScrub® Privacy Suite™ 4.0 Trial
DivX
DivX Player
ewido anti-malware
GPL MPEG-1/2 DirectShow Decoder Filter
GuildFTPd FTP Deamon
J2SE Runtime Environment 5.0 Update 5
KCeasy 0.17-rc1
LiveUpdate 3.0 (Symantec Corporation)
Microsoft .NET Framework (English)
Microsoft .NET Framework (English) v1.0.3705
Microsoft .NET Framework 1.0 Hotfix (KB886906)
Microsoft .NET Framework 1.1
Microsoft .NET Framework 2.0
Microsoft Windows Journal Viewer
Microsoft Works 7.0
MSN Messenger 7.5
MSRedist
Music Display Pictures 1.0
Norton AntiSpam
Norton AntiSpam
Norton AntiVirus
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton Internet Security
Norton WMI Update
OpenMG Limited Patch 4.1-05-13-31-01
OpenMG Secure Module 4.1.00
Paint.NET v2.61
QuickTime
QuickWiper 7.8
Samsung Mobile USB Modem Software
Samsung PC Studio II 2.0 PIMS & File Manager
Security Update for Windows Media Player (KB911564)
Security Update for Windows Media Player 10 (KB911565)
Security Update for Windows XP (KB883939)
Security Update for Windows XP (KB896424)
Security Update for Windows XP (KB896688)
Security Update for Windows XP (KB900725)
Security Update for Windows XP (KB901017)
Security Update for Windows XP (KB901190)
Security Update for Windows XP (KB901214)
Security Update for Windows XP (KB902400)
Security Update for Windows XP (KB903235)
Security Update for Windows XP (KB904706)
Security Update for Windows XP (KB905414)
Security Update for Windows XP (KB905749)
Security Update for Windows XP (KB905915)
Security Update for Windows XP (KB908519)
Security Update for Windows XP (KB908531)
Security Update for Windows XP (KB911562)
Security Update for Windows XP (KB911567)
Security Update for Windows XP (KB911927)
Security Update for Windows XP (KB912812)
Security Update for Windows XP (KB912919)
Security Update for Windows XP (KB913446)
Security Update for Windows XP (KB913580)
SonicStage 3.0
SY-DSC
Symantec Script Blocking Installer
Theme Park World Fix
Update for Windows XP (KB900485)
Update for Windows XP (KB910437)
Viewpoint Media Player
Wave Splitter 2.10
WinAVI VideoConverter
Windows Media Format SDK Hotfix - KB891122
Windows XP Creativity Fun Packs - Windows Movie Maker 2
Windows XP Creativity Fun Packs - Windows Movie Maker 2 - Titles
Windows XP Hotfix - KB886185
Windows XP Hotfix - KB887472
Windows XP Hotfix - KB887742
Windows XP Service Pack 2
Windows XP Winter Fun Pack for Windows Movie Maker 2
XP Codec Pack

#5
Noviciate

Posted 16 May 2006 - 01:43 PM

Confused Helper

Malware Removal
1,567 posts

Unfortunately you have managed to accumulate a goodly selection of slime on your PC which will take a little more work to clean up.
The following should see the back of most, if not all of it. The online scan at the end will hopefully identify anything that may still be lurking on your computer:

You will need to make a copy of these instructions because you have to disconnect from the internet to complete the fix. Either print them out or copy and paste them into Notepad.

Preparation

1) Download bfu.zip - (Brute Force Uninstaller©Merijn) from here and save it to your Desktop.
The folder needs to be unzipped and placed at the root of your main hard drive - In most cases this is C:\.

To do this:

Right click on the zipped folder and from the menu that appears, click on Extract All...
Click on Next >.
Click on Browse....
Click on the "+" sign next to "My Computer".
Click on "Local Disk (C:)" or whatever your main drive is - NOT the "+" sign!
Click on Make New Folder.
Type in "BFU" (without the quotation marks).
Click on OK.
Click on Next >, uncheck the "Show extracted files" box and then click on Finish.

2) Next you need to download qoofix.bat by LonnyRJones and save it into the BFU folder you created earlier.
Right click the link and from the menu that appears:

If you use Firefox click on "Save Link As..."
If you use I.E. click on "Save Target As... "

You can either save it directly into the folder, or save it to your Desktop and cut and paste it.

Removal

1) Navigate to the bfu folder, open it and double-click qooFix.bat and then close all browsers and explorer folders.

Press "1" and then <ENTER> to run the Qoolfix autofix and follow the prompts.
Please be patient, this process will take about five minutes.

2) Run HijackThis as you did to generate a log, but this time click on 'Do a system scan only'.
Place a checkmark in the boxes to the left of the following entries, by clicking on them:

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp...rch/search.html

R3 - URLSearchHook: (no name) - {02EE5B04-F144-47BB-83FB-A60BD91B74A9} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\hqpig.exe
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,smvmqlj.exe

O2 - BHO: CFG32S - {7564B020-44E8-4c9b-A887-C6EC41AC67DA} - C:\WINDOWS\cfg32r.dll
O2 - BHO: Scaggy Insert - {C68AE9C0-0909-4DDC-B661-C1AFB9F59898} - C:\WINDOWS\cfg32o.dll

O4 - HKLM\..\Run: [] winlog.exe
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKLM\..\Run: [sys11-1799744824] C:\WINDOWS\sys11-1799744824.exe
O4 - HKLM\..\RunServices: [] winlog.exe
O4 - HKCU\..\Run: [sys_up1] C:\Program Files\Common Files\svchostsys\svchostsys.exe

O21 - SSODL: NTDBGTOOL - {2609297E-A16E-4666-B84F-3901159D3053} - C:\WINDOWS\System32\neteinst.dll (file missing)

CLOSE ALL OPEN WINDOWS AND BROWSERS - EXCEPT HJT and click on Fix checked

3) Boot into Safe Mode.

4) Run Ewido.
Click on Scanner.
Click on Complete System Scan and the scan will begin.
While the scan is in progress you will be prompted to clean files, click OK.
When it asks if you want to clean the first file, put a checkmark in the lower left corner of the box that says 'Perform action with all infections' then choose clean and click OK.
Once the scan has completed, there will be a button located on the bottom of the screen named Save report - click it.
Save the report.txt file to your desktop.

Now close Ewido Anti-Malware.

Warning: While the scan is in progress, DO NOT open any folders or the Windows Control Panel !!

5) Remove any/all of the following files/folders that you can find:

Files

C:\WINDOWS\cfg32.exe
C:\WINDOWS\sys11-1799744824.exe

As an example:
To delete C:\WINDOWS\system32\filetogo.bye
Double click the My Computer icon on your Desktop.
Double click on Local Disc (C:)
Double click on the Windows folder,
Double click on the System 32 folder,
Right click on filetogo.bye and from the menu that appears, click on 'Delete'

Files

winlog.exe

Click on Start,
Click on Search
Click on 'All files and folders'
In the 'All or part of the file name:' textbox, enter the above file name(s) and click on Search
Right click on any entries that are found and from the menu that appears, click on Delete

Folders

C:\Program Files\Common Files\svchostsys

As an example:
To delete C:\WINDOWS\system32\foldertogo
Double click the My Computer icon on your Desktop.
Double click on Local Disc (C:)
Double click on the Windows folder,
Double click on the System 32 folder,
Right click on foldertogo and from the menu that appears, click on 'Delete'

6) Navigate to the C:\Windows\Temp folder and delete all the files that you find there.
Do this for all Usernames.

7) Navigate to C:\Documents and Settings\Username\Local Settings\Temp and delete all the files that you find there.
Do this for all Usernames.

8) Go to Start > Control Panel > Internet Options and under Temporary Internet files, click on Delete Files...
Check the box to the left of 'Delete all offline content' and then click on OK.

9) Boot into Normal Mode.

10) Run the following scan: Kaspersky Online Scanner.
When you see "Please select a target to scan", click on "My Computer".
When the scan has completed and the results are displayed, click on the Save as text button and save the report with an appropriate name to your Desktop.

** Please note **
a) I.E. is required to run this scan.
b) You will need to remain online for the duration of the scan.

When you've done ALL that, I want the following:

A fresh HJT log.
The Ewido log.
The Kaspersky log.
Last but not least, a description of how your PC is running.

#6
Lisax06x

Posted 17 May 2006 - 12:36 PM

Member

Topic Starter
Member
10 posts

Thank you again!!
When i log onto windows theres an error message saying 'could not find program code' im not sure what this is referring to.
My computer is running ok otherwise, although it does run slower at times. popups seem to have gone.

Also I was wondering if u know if there is any kind of program that allows u to wipe ur hard disk free of all previously deleted files? I want my system clean.

---------------------------------------------------------
ewido anti-malware - Scan report
---------------------------------------------------------

+ Created on: 14:32:09, 17/05/2006
+ Report-Checksum: AA70A01F

+ Scan result:

HKLM\SOFTWARE\Bargains -> Adware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\CashBack -> Adware.CashBack : Cleaned with backup
HKLM\SOFTWARE\Classes\ADP.UrlCatcher -> Adware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\ADP.UrlCatcher\CLSID -> Adware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\ADP.UrlCatcher.1 -> Adware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Classes\AppID\BookedSpace.DLL -> Adware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\BookedSpace.Extension -> Adware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\BookedSpace.Extension\CLSID -> Adware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\BookedSpace.Extension\CurVer -> Adware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\BookedSpace.Extension.5 -> Adware.BookedSpace : Cleaned with backup
HKLM\SOFTWARE\Classes\CB.UrlCatcher -> Adware.NaviSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CB.UrlCatcher\CLSID -> Adware.NaviSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\CB.UrlCatcher.1 -> Adware.NaviSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\KBBar.KBBarBand -> Adware.PowerStrip : Cleaned with backup
HKLM\SOFTWARE\Classes\KBBar.KBBarBand\CLSID -> Adware.PowerStrip : Cleaned with backup
HKLM\SOFTWARE\Classes\KBBar.KBBarBand\CurVer -> Adware.PowerStrip : Cleaned with backup
HKLM\SOFTWARE\Classes\KBBar.KBBarBand.1 -> Adware.PowerStrip : Cleaned with backup
HKLM\SOFTWARE\Classes\NLS.UrlCatcher -> Adware.NaviSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\NLS.UrlCatcher\CLSID -> Adware.NaviSearch : Cleaned with backup
HKLM\SOFTWARE\Classes\NLS.UrlCatcher.1 -> Adware.NaviSearch : Cleaned with backup
HKLM\SOFTWARE\eXactUtil -> Adware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\BargainBuddy -> Adware.BargainBuddy : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\CashBack -> Adware.CashBack : Cleaned with backup
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\NaviSearch -> Adware.NaviSearch : Cleaned with backup
HKLM\SOFTWARE\NaviSearch -> Adware.NaviSearch : Cleaned with backup
C:\Documents and Settings\Lisa\Cookies\[email protected][2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Lisa\Cookies\lisa@2o7[2].txt -> TrackingCookie.2o7 : Cleaned with backup
C:\Documents and Settings\Lisa\Cookies\[email protected][1].txt -> TrackingCookie.Addynamix : Cleaned with backup
C:\Documents and Settings\Lisa\Cookies\lisa@casalemedia[2].txt -> TrackingCookie.Casalemedia : Cleaned with backup
C:\Documents and Settings\Lisa\Cookies\lisa@com[1].txt -> TrackingCookie.Com : Cleaned with backup
C:\Documents and Settings\Lisa\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Lisa\Cookies\[email protected][2].txt -> TrackingCookie.Ru4 : Cleaned with backup
C:\Documents and Settings\Lisa\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned with backup
C:\Documents and Settings\Lisa\Cookies\lisa@revenue[1].txt -> TrackingCookie.Revenue : Cleaned with backup
C:\Documents and Settings\Lisa\Cookies\lisa@tradedoubler[2].txt -> TrackingCookie.Tradedoubler : Cleaned with backup
C:\Documents and Settings\Lisa\Cookies\lisa@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned with backup
C:\Documents and Settings\Lisa\Cookies\lisa@zedo[2].txt -> TrackingCookie.Zedo : Cleaned with backup
C:\Program Files\BullsEye Network -> Adware.BargainBuddy : Cleaned with backup
C:\Program Files\BullsEye Network\bin -> Adware.BargainBuddy : Cleaned with backup
C:\Program Files\BullsEye Network\bin\bargains.exe -> Adware.BargainBuddy : Cleaned with backup
C:\Program Files\BullsEye Network\Uninstall.exe -> Adware.BargainBuddy : Cleaned with backup
C:\Program Files\CashBack -> Adware.CashBack : Cleaned with backup
C:\Program Files\CashBack\bb_auto_wider.swf -> Adware.CashBack : Cleaned with backup
C:\Program Files\CashBack\bb_click_wider.swf -> Adware.CashBack : Cleaned with backup
C:\Program Files\CashBack\bb_welcome.html -> Adware.CashBack : Cleaned with backup
C:\Program Files\CashBack\bb_welcome1.swf -> Adware.CashBack : Cleaned with backup
C:\Program Files\CashBack\bin -> Adware.CashBack : Cleaned with backup
C:\Program Files\CashBack\bin\cashback.exe -> Adware.CashBack : Cleaned with backup
C:\Program Files\CashBack\bin\cb.exe -> Adware.CashBack : Cleaned with backup
C:\Program Files\CashBack\bin\flash.exe -> Adware.CashBack : Cleaned with backup
C:\Program Files\CashBack\blank.gif -> Adware.CashBack : Cleaned with backup
C:\Program Files\CashBack\icon.gif -> Adware.CashBack : Cleaned with backup
C:\Program Files\CashBack\logo.gif -> Adware.CashBack : Cleaned with backup
C:\Program Files\CashBack\template.html -> Adware.CashBack : Cleaned with backup
C:\Program Files\CashBack\template2.html -> Adware.CashBack : Cleaned with backup
C:\Program Files\CashBack\Uninstall.exe -> Adware.CashBack : Cleaned with backup
C:\Program Files\Common Files\misc001\webhc1.exe/whAgent.exe -> Adware.WebHancer : Cleaned with backup
C:\Program Files\NaviSearch -> Adware.BargainBuddy : Cleaned with backup
C:\Program Files\NaviSearch\ad.dat -> Adware.BargainBuddy : Cleaned with backup
C:\Program Files\NaviSearch\bin -> Adware.BargainBuddy : Cleaned with backup
C:\Program Files\NaviSearch\bin\nls.exe -> Adware.BargainBuddy : Cleaned with backup
C:\Program Files\NaviSearch\Uninstall.exe -> Adware.BargainBuddy : Cleaned with backup
C:\WINDOWS\876056.exe -> Adware.Mirar : Cleaned with backup
C:\WINDOWS\system32\exdl.exe -> Adware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\exul.exe -> Adware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\msbe.dll -> Adware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\mscb.dll -> Adware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\nvms.dll -> Adware.BargainBuddy : Cleaned with backup
C:\WINDOWS\system32\WinDmy.dll -> Adware.Mirar : Cleaned with backup
C:\WINDOWS\system32\WinNB57.dll -> Adware.Mirar : Cleaned with backup

::Report End

Wednesday, May 17, 2006 6:39:39 PM
Operating System: Microsoft Windows XP Home Edition, Service Pack 2 (Build 2600)
Kaspersky On-line Scanner version: 5.0.78.0
Kaspersky Anti-Virus database last update: 17/05/2006
Kaspersky Anti-Virus database records: 182767

Scan Settings
Scan using the following antivirus database standard
Scan Archives true
Scan Mail Bases true

Scan Target My Computer
A:\
C:\
D:\
E:\

Scan Statistics
Total number of scanned objects 64451
Number of viruses found 11
Number of infected objects 27
Number of suspicious objects 0
Duration of the scan process 02:31:26

Infected Object Name Virus Name Last Action
C:\Program Files\install.exe/stream/data0001/stream/data0001 Infected: Trojan-Downloader.Win32.IstBar.er skipped

C:\Program Files\install.exe/stream/data0001/stream Infected: Trojan-Downloader.Win32.IstBar.er skipped

C:\Program Files\install.exe/stream/data0001 Infected: Trojan-Downloader.Win32.IstBar.er skipped

C:\Program Files\install.exe/stream Infected: Trojan-Downloader.Win32.IstBar.er skipped

C:\Program Files\install.exe NSIS: infected - 4 skipped

C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\050E0E76 Infected: Trojan-Downloader.JS.IstBar.ad skipped

C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\12F37A29/data0002/data0003 Infected: Trojan-Downloader.Win32.Keenval.f skipped

C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\12F37A29/data0002 Infected: Trojan-Downloader.Win32.Keenval.f skipped

C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\12F37A29 NSIS: infected - 2 skipped

C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\12F37A29 CryptFF: infected - 2 skipped

C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\26F11883 Infected: Trojan-Downloader.Win32.IstBar.gen skipped

C:\Program Files\Norton Internet Security\Norton AntiVirus\Quarantine\4FBF3CDB Infected: Backdoor.Win32.Rbot.adx skipped

C:\Trelew.exe/data0006 Infected: Trojan-Dropper.Win32.VB.mz skipped

C:\Trelew.exe NSIS: infected - 1 skipped

C:\WINDOWS\CCZoop05.exe Infected: Trojan.Win32.VB.tg skipped

C:\WINDOWS\system32\bdapdsl1.dll Infected: Virus.Win32.Bayan-based skipped

C:\WINDOWS\system32\crypo412.dll Infected: Backdoor.Win32.PPdoor.d skipped

C:\WINDOWS\system32\lljcp71.dll Infected: Backdoor.Win32.PPdoor.d skipped

C:\WINDOWS\system32\modeolcy.dll Infected: Backdoor.Win32.PPdoor.d skipped

C:\WINDOWS\system32\offfn11n.dll Infected: Virus.Win32.Bayan-based skipped

C:\WINDOWS\system32\optimizer.exe/stream/data0001 Infected: Trojan-Downloader.Win32.IstBar.er skipped

C:\WINDOWS\system32\optimizer.exe/stream Infected: Trojan-Downloader.Win32.IstBar.er skipped

C:\WINDOWS\system32\optimizer.exe NSIS: infected - 2 skipped

C:\WINDOWS\system32\tcpmrvpa.dll Infected: Virus.Win32.Bayan-based skipped

C:\WINDOWS\system32\VSL03.exe/data0004 Infected: Trojan-Downloader.Win32.Small.ctp skipped

C:\WINDOWS\system32\VSL03.exe/data0005 Infected: Trojan-Downloader.Win32.Small.ajc skipped

C:\WINDOWS\system32\VSL03.exe NSIS: infected - 2 skipped

Scan process completed.

Logfile of HijackThis v1.99.1
Scan saved at 19:31:17, on 17/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\vsnpt513.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\KCeasy\KCeasy.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
C:\Program Files\SpyCatcher\Scheduler daemon.exe
C:\Program Files\Common Files\AOL\1132492421\ee\AOLHostManager.exe
C:\Program Files\Common Files\AOL\1132492421\ee\AOLServiceHost.exe
c:\program files\common files\aol\1132492421\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1132492421\ee\AOLServiceHost.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\KCeasy\giFT\giFTl.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\PROGRA~1\VOYAGE~1\fts.exe
C:\WINDOWS\system32\cidaemon.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://soft-trend.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://soft-trend.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\system32\nvms.dll (file missing)
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\system32\mscb.dll (file missing)
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll (file missing)
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB57.dll (file missing)
O4 - HKLM\..\Run: [Dgu] C:\WINDOWS\System32\Rsh.exe
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [Icc] C:\WINDOWS\System32\Msg.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SNPT513] C:\WINDOWS\vsnpt513.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1132492421\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [CashBack] C:\Program Files\CashBack\bin\cashback.exe
O4 - HKLM\..\Run: [NaviSearch] C:\Program Files\NaviSearch\bin\nls.exe
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKCU\..\Run: [filecroc] "C:\Program Files\FileCroc\FileCroc.exe" -h
O4 - HKCU\..\Run: [KCeasy] C:\Program Files\KCeasy\KCeasy.exe /hide
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm (file missing)
O15 - Trusted Zone: http://awbeta.net-nucleus.com (HKLM)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1125103750250
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.app.../ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA74F2E4-F118-47DE-B753-A5E7B89C3E17}: NameServer = 205.188.146.145
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AutoComplete Service (Autocomplete) - Unknown owner - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

Edited by Lisax06x, 17 May 2006 - 12:37 PM.

#7
Noviciate

Posted 17 May 2006 - 02:09 PM

Confused Helper

Malware Removal
1,567 posts

You will need to make a copy of these instructions because you have to disconnect from the internet to complete the fix. Either print them out or copy and paste them into Notepad.

Preparation

1) You will need to set Windows to show All Hidden Files and Folders
Instructions can be found here.
** These files are hidden to stop you accidentally removing something important.
It is advisable to hide them again after fixing your computer. **

2) You will also need to know how to boot into Safe Mode.
Instructions can be found here.

3) Log off from the internet and disconnect your modem cable for the duration of the fix.

Removal

1) Run HijackThis as you did to generate a log, but this time click on 'Do a system scan only'.
Place a checkmark in the boxes to the left of the following entries, by clicking on them:

O2 - BHO: NLS UrlCatcher Class - {AEECBFDA-12FA-4881-BDCE-8C3E1CE4B344} - C:\WINDOWS\system32\nvms.dll (file missing)
O2 - BHO: CB UrlCatcher Class - {CE188402-6EE7-4022-8868-AB25173A3E14} - C:\WINDOWS\system32\mscb.dll (file missing)
O2 - BHO: ADP UrlCatcher Class - {F4E04583-354E-4076-BE7D-ED6A80FD66DA} - C:\WINDOWS\system32\msbe.dll (file missing)
O3 - Toolbar: Related Page - {9A9C9B68-F908-4AAB-8D0C-10EA8997F37E} - C:\WINDOWS\system32\WinNB57.dll (file missing)

CLOSE ALL OPEN WINDOWS AND BROWSERS - EXCEPT HJT and click on Fix checked

2) Boot into Safe Mode.

3) Remove any/all of the following files/folders that you can find:

Files

C:\Program Files\install.exe
C:\Trelew.exe
C:\WINDOWS\CCZoop05.exe
C:\WINDOWS\system32\bdapdsl1.dll
C:\WINDOWS\system32\crypo412.dll
C:\WINDOWS\system32\lljcp71.dll
C:\WINDOWS\system32\modeolcy.dll
C:\WINDOWS\system32\offfn11n.dll
C:\WINDOWS\system32\optimizer.exe
C:\WINDOWS\system32\tcpmrvpa.dll
C:\WINDOWS\system32\VSL03.exe

As an example:
To delete C:\WINDOWS\system32\filetogo.bye
Double click the My Computer icon on your Desktop.
Double click on Local Disc (C:)
Double click on the Windows folder,
Double click on the System 32 folder,
Right click on filetogo.bye and from the menu that appears, click on 'Delete'

4) Navigate to the C:\Windows\Temp folder and delete all the files that you find there.
Do this for all Usernames.

5) Navigate to C:\Documents and Settings\Username\Local Settings\Temp and delete all the files that you find there.
Do this for all Usernames.

6) Go to Start > Control Panel > Internet Options and under Temporary Internet files, click on Delete Files...
Check the box to the left of 'Delete all offline content' and then click on OK.

7) Boot into Normal Mode.

8) Run the following online scan: Panda ActiveScan.

Please note that IE is required to run this scan.
You will need to fill in the "Country, region, email address" information before you can download and install the ActiveX components necessary to run the scan.
When you are asked to "Select a device to scan...", click on "My Computer".

When the scan has finished, click See Report > Save Report which by default will save the scan results as Activescan.txt in My Documents.

Copy and paste the result of the above scan into your next reply along with a fresh HJT log AND a description of how your PC is running.

----------------------------------------------------------------------------------------------------

Also I was wondering if u know if there is any kind of program that allows u to wipe ur hard disk free of all previously deleted files?

If you want a file that exists permanently deleting, there are a number of programs that will make it difficult to recover. If you like free, one such program is Spybot Search and Destroy - this has a secure file shredder. If you install it, go to Mode > Advanced mode > Tools > Secure Shredder. Spybot is available here.
Making a deleted file unrecoverable is usually done by overwriting the part of the disk that it was stored on. The easiest way to do this is by defragmenting your hard drive. A tutorial for disc defragmentation is available here.
Once your hard drive is full enough, the new data that you save will have overwritten all the old data that was stored on it.
Bear in mind that to be absolutely sure that data is unrecoverable, you need to destroy the hard drive!

#8
Noviciate

Posted 17 May 2006 - 02:31 PM

Confused Helper

Malware Removal
1,567 posts

One other thing - mind like a sieve!

I want you to navigate to the following files:C:\WINDOWS\System32\Rsh.exe
C:\WINDOWS\System32\Msg.exe
Right click each and select Properties
Under the Version Tab, I want you to confirm for me that they are copyrighted Microsoft Corporation files.

#9
Lisax06x

Posted 20 May 2006 - 11:25 AM

Member

Topic Starter
Member
10 posts

The files are both microsoft corporation files.
All i can say about my computer is that it still tends to run slow.

Incident Status Location

Adware:adware/azesearch Not disinfected c:\windows\system32\azebar.xml
Hacktool:hacktool/rootkit.d Not disinfected c:\windows\system32\klo5.sys
Adware:adware/ilookup Not disinfected c:\windows\system32\mac02.ico
Adware:adware/ncase Not disinfected c:\windows\system32\saie_gdf.dat
Adware:adware/adshooter Not disinfected c:\windows\system32\syscr.dll
Potentially unwanted tool:application/funweb Not disinfected c:\windows\downloaded program files\f3initialsetup1.0.0.15.inf
Dialer:dialer.xd Not disinfected c:\windows\downloaded program files\start77.inf
Adware:adware/portalscan Not disinfected c:\windows\bundles\2504041110.exe
Adware:adware/exact.bargainbuddy Not disinfected c:\windows\bbchk.exe
Adware:adware/oemji Not disinfected c:\program files\common files\Oem Common
Adware:adware/maxifiles Not disinfected c:\program files\common files\Windows
Adware:adware/beginto Not disinfected c:\windows\system32\cache32_dsktptr
Adware:adware/broadcastpc Not disinfected c:\program files\Bpt
Potentially unwanted tool:application/myway Not disinfected c:\program files\MyWay
Adware:adware/toprebates Not disinfected c:\program files\Rebate_Nation
Adware:adware/tvmedia Not disinfected c:\windows\bundles
Adware:adware/delfinmedia Not disinfected c:\documents and settings\all users\application data\vidctrl
Spyware:spyware/media-motor Not disinfected Windows Registry
Adware:adware/wupd Not disinfected Windows Registry
Adware:adware/elitebar Not disinfected Windows Registry
Potentially unwanted tool:application/winfixer2005 Not disinfected hkey_local_machine\software\WinFixer2005
Adware:adware/ist.istbar Not disinfected Windows Registry
Adware:adware/dyfuca Not disinfected Windows Registry
Adware:adware/surfaccuracy Not disinfected Windows Registry
Adware:adware/savenow Not disinfected Windows Registry
Adware:adware/commad Not disinfected Windows Registry
Adware:adware/ist.yoursitebar Not disinfected Windows Registry
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\David Jones\Cookies\david jones@2o7[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\David Jones\Cookies\david [email protected][2].txt
Spyware:Cookie/Atlas DMT Not disinfected C:\Documents and Settings\David Jones\Cookies\david jones@atdmt[1].txt
Spyware:Cookie/Overture Not disinfected C:\Documents and Settings\David Jones\Cookies\david jones@overture[2].txt
Spyware:Cookie/Falkag Not disinfected C:\Documents and Settings\David Jones\Cookies\david [email protected][1].txt
Spyware:Cookie/Server.iad.Liveperson Not disinfected C:\Documents and Settings\David Jones\Cookies\david [email protected][1].txt
Spyware:Cookie/Tradedoubler Not disinfected C:\Documents and Settings\David Jones\Cookies\david jones@tradedoubler[2].txt
Spyware:Cookie/Xiti Not disinfected C:\Documents and Settings\David Jones\Cookies\david jones@xiti[1].txt
Spyware:Cookie/2o7 Not disinfected C:\Documents and Settings\Lisa\Cookies\lisa@2o7[2].txt
Spyware:Cookie/Atwola Not disinfected C:\Documents and Settings\Lisa\Cookies\lisa@atwola[2].txt
Spyware:Cookie/Casalemedia Not disinfected C:\Documents and Settings\Lisa\Cookies\lisa@casalemedia[1].txt
Spyware:Cookie/Com.com Not disinfected C:\Documents and Settings\Lisa\Cookies\lisa@com[1].txt
Spyware:Cookie/onestat.com Not disinfected C:\Documents and Settings\Lisa\Cookies\[email protected][2].txt
Spyware:Cookie/Statcounter Not disinfected C:\Documents and Settings\Lisa\Cookies\lisa@statcounter[1].txt
Adware:Adware/Webdir Not disinfected C:\Documents and Settings\Lisa\My Documents\AVICodecPackPlus21.exe[VirtualDNS.dll]
Adware:Adware/Comet Not disinfected C:\Documents and Settings\Lisa\My Documents\sinstaller.exe
Adware:Adware/BroadcastPC Not disinfected C:\Program Files\Bpt\bpt_c.exe
Adware:Adware/IST.ISTBar Not disinfected C:\Program Files\install.exe[optimizer.exe][istinstall_adlogix.exe]
Adware:Adware/AdLogix Not disinfected C:\Program Files\install.exe[swin32.dll]
Adware:Adware/AdLogix Not disinfected C:\Program Files\install.exe[adupdater.exe]
Adware:Adware/SaveNow Not disinfected C:\Program Files\MyEmoticons\uninstall.exe
Adware:Adware/RazeSpyware Not disinfected C:\Program Files\SmartSecurity\Uninstall.exe
Adware:Adware/PurityScan Not disinfected C:\WINDOWS\Downloaded Program Files\start.INF
Virus:Trj/Downloader.AOB Disinfected C:\WINDOWS\system32\3321390.exe
Spyware:Spyware/SafeSurf Not disinfected C:\WINDOWS\system32\InstallerV23.exe[ExtractDLL.dll]
Spyware:Spyware/LinkReplacer Not disinfected C:\WINDOWS\system32\PreUninstallHL.exe
Adware:Adware/CommAd Not disinfected C:\WINDOWS\TGlzYSBKb25lcw\n35Wsm14vZc5wT.vbs
Adware:Adware/DigInk Not disinfected C:\WINDOWS\unin101.exe
Adware:Adware/DigInk Not disinfected C:\WINDOWS\uni_ehhh.exe

Logfile of HijackThis v1.99.1
Scan saved at 18:24:01, on 20/05/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\WINDOWS\System32\cisvc.exe
C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
C:\Program Files\ewido anti-malware\ewidoctrl.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\MsPMSPSv.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe
C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE
C:\WINDOWS\system32\RunDll32.exe
C:\WINDOWS\vsnpt513.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\Program Files\VoyagerTest\fts.exe
C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\MessengerPlus! 3\MsgPlus.exe
C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe
C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
C:\Program Files\KCeasy\KCeasy.exe
C:\Program Files\Common Files\AOL\1132492421\ee\AOLHostManager.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
C:\Program Files\Common Files\AOL\1132492421\ee\AOLServiceHost.exe
C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
C:\Program Files\Microsoft Office\Office\OSA.EXE
c:\program files\common files\aol\1132492421\ee\services\antiSpywareApp\ver2_0_12\AOLSP Scheduler.exe
C:\Program Files\Common Files\AOL\1132492421\ee\AOLServiceHost.exe
C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\KCeasy\giFT\giFTl.exe
C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
C:\Program Files\AOL 9.0\waol.exe
C:\Program Files\AOL 9.0\shellmon.exe
C:\Program Files\Common Files\AOL\aoltpspd.exe
C:\WINDOWS\system32\cidaemon.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Windows Media Player\wmplayer.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\HJT\HijackThis.exe

R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://soft-trend.net
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page = http://soft-trend.net
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O4 - HKLM\..\Run: [Dgu] C:\WINDOWS\System32\Rsh.exe
O4 - HKLM\..\Run: [EPSON Stylus C44 Series] C:\WINDOWS\System32\spool\DRIVERS\W32X86\3\E_S10IC2.EXE /P23 "EPSON Stylus C44 Series" /O6 "USB001" /M "Stylus C44"
O4 - HKLM\..\Run: [Icc] C:\WINDOWS\System32\Msg.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe /Consumer
O4 - HKLM\..\Run: [NeroCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [Cmaudio] RunDll32 cmicnfg.cpl,CMICtrlWnd
O4 - HKLM\..\Run: [SNPT513] C:\WINDOWS\vsnpt513.exe
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [ccApp] "C:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [URLLSTCK.exe] C:\Program Files\Norton Internet Security\UrlLstCk.exe
O4 - HKLM\..\Run: [%FP%Friendly fts.exe] "C:\Program Files\VoyagerTest\fts.exe"
O4 - HKLM\..\Run: [AOLDialer] C:\Program Files\Common Files\AOL\ACS\AOLDial.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe"
O4 - HKLM\..\Run: [HostManager] C:\Program Files\Common Files\AOL\1132492421\ee\AOLHostManager.exe
O4 - HKLM\..\Run: [SsAAD.exe] C:\PROGRA~1\Sony\SONICS~1\SsAAD.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_05\bin\jusched.exe
O4 - HKLM\..\Run: [DSLSTATEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslstat.exe icon
O4 - HKLM\..\Run: [DSLAGENTEXE] C:\Program Files\BT Voyager 105 ADSL Modem\dslagent.exe
O4 - HKCU\..\Run: [filecroc] "C:\Program Files\FileCroc\FileCroc.exe" -h
O4 - HKCU\..\Run: [KCeasy] C:\Program Files\KCeasy\KCeasy.exe /hide
O4 - HKCU\..\Run: [MessengerPlus3] "C:\Program Files\MessengerPlus! 3\MsgPlus.exe" /WinStart
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\RunOnce: [Privacy Suite] "C:\Program Files\CyberScrub Privacy Suite\silent.exe" /R
O4 - Startup: Scheduler.lnk = C:\Program Files\SpyCatcher\Scheduler daemon.exe
O4 - Global Startup: Adobe Gamma Loader.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Microsoft Find Fast.lnk = C:\Program Files\Microsoft Office\Office\FINDFAST.EXE
O4 - Global Startup: Office Startup.lnk = C:\Program Files\Microsoft Office\Office\OSA.EXE
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: eBay - Homepage - {EF79EAC5-3452-4E02-B8BD-BA4C89F1AC7A} - C:\Program Files\IrfanView\Ebay\Ebay.htm (file missing)
O16 - DPF: Yahoo! Chat - http://us.chat1.yimg...t/c381/chat.cab
O16 - DPF: {00B71CFB-6864-4346-A978-C0A14556272C} (Checkers Class) - http://messenger.zon...kr.cab31267.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky...can_unicode.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {2917297F-F02B-4B9D-81DF-494B6333150B} (Minesweeper Flags Class) - http://messenger.zon...er.cab31267.cab
O16 - DPF: {4F1E5B1A-2A80-42CA-8532-2D05CB959537} (MSN Photo Upload Tool) - http://spaces.msn.co...ad/MsnPUpld.cab
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1125103750250
O16 - DPF: {8E0D4DE5-3180-4024-A327-4DFAD1796A8D} (MessengerStatsClient Class) - http://messenger.zon...nt.cab31267.cab
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://acs.pandasoft...free/asinst.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {D719897A-B07A-4C0C-AEA9-9B663A28DFCB} - http://ax.phobos.app.../ITDetector.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{BA74F2E4-F118-47DE-B753-A5E7B89C3E17}: NameServer = 205.188.146.145
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - "C:\PROGRA~1\MSNMES~1\msgrapp.dll" (file missing)
O23 - Service: AOL Connectivity Service (AOL ACS) - America Online, Inc. - C:\Program Files\Common Files\AOL\ACS\AOLAcsd.exe
O23 - Service: AutoComplete Service (Autocomplete) - Unknown owner - C:\Program Files\Acesoft\Tracks Eraser Pro\autocomp.exe (file missing)
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Network Proxy (ccProxy) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccProxy.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: EPSON Printer Status Agent2 (EPSONStatusAgent2) - SEIKO EPSON CORPORATION - C:\Program Files\Common Files\EPSON\EBAPI\SAgent2.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido anti-malware\ewidoctrl.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\11\Intel 32\IDriverT.exe
O23 - Service: LiveUpdate - Symantec Corporation - C:\PROGRA~1\Symantec\LIVEUP~1\LUCOMS~1.EXE
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\navapsvc.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: SAVScan - Symantec Corporation - C:\Program Files\Norton Internet Security\Norton AntiVirus\SAVScan.exe
O23 - Service: ScriptBlocking Service (SBService) - Symantec Corporation - C:\PROGRA~1\COMMON~1\SYMANT~1\SCRIPT~1\SBServ.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec Core LC - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\CCPD-LC\symlcsvc.exe
O23 - Service: SymWMI Service (SymWSC) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\Security Center\SymWSC.exe

#10
Noviciate

Posted 20 May 2006 - 01:45 PM

Confused Helper

Malware Removal
1,567 posts

1) Boot into Safe Mode.

2) Remove any/all of the following files/folders that you can find:

Files

c:\windows\system32\azebar.xml
c:\windows\system32\klo5.sys
c:\windows\system32\mac02.ico
c:\windows\system32\saie_gdf.dat
c:\windows\system32\syscr.dll
c:\windows\downloaded program files\f3initialsetup1.0.0.15.inf
c:\windows\downloaded program files\start77.inf
c:\windows\bundles\2504041110.exe
c:\windows\bbchk.exe
c:\windows\system32\cache32_dsktptr
C:\Documents and Settings\Lisa\My Documents\AVICodecPackPlus21.exe
C:\Documents and Settings\Lisa\My Documents\sinstaller.exe
C:\Program Files\Bpt\bpt_c.exe
C:\Program Files\install.exe
C:\WINDOWS\Downloaded Program Files\start.INF
C:\WINDOWS\system32\3321390.exe
C:\WINDOWS\system32\InstallerV23.exe
C:\WINDOWS\system32\PreUninstallHL.exe
C:\WINDOWS\unin101.exe
C:\WINDOWS\uni_ehhh.exe

As an example:
To delete C:\WINDOWS\system32\filetogo.bye
Double click the My Computer icon on your Desktop.
Double click on Local Disc (C:)
Double click on the Windows folder,
Double click on the System 32 folder,
Right click on filetogo.bye and from the menu that appears, click on 'Delete'

Folders

c:\program files\common files\Oem Common
c:\program files\common files\Windows
c:\program files\Bpt
c:\program files\MyWay
c:\program files\Rebate_Nation
c:\windows\bundles
c:\documents and settings\all users\application data\vidctr
C:\Program Files\MyEmoticons
C:\Program Files\SmartSecurity
C:\WINDOWS\TGlzYSBKb25lcw

As an example:
To delete C:\WINDOWS\system32\foldertogo
Double click the My Computer icon on your Desktop.
Double click on Local Disc (C:)
Double click on the Windows folder,
Double click on the System 32 folder,
Right click on foldertogo and from the menu that appears, click on 'Delete'

3) Navigate to the C:\Windows\Temp folder and delete all the files that you find there.
Do this for all Usernames.

4) Navigate to C:\Documents and Settings\Username\Local Settings\Temp and delete all the files that you find there.
Do this for all Usernames.

5) Go to Start > Control Panel > Internet Options and under Temporary Internet files, click on Delete Files...
Check the box to the left of 'Delete all offline content' and then click on OK.

6) Boot into Normal Mode.

-----------------------------------------------------------------------------------------------------------------------------

1) Download F-Secure's BlackLight from here and save it to your Desktop.

2) Locate and double click blbeta.exe to run it.

Click the Scan button to begin.
When it has completed, click the Close button.
A text file, fsbl-date/time, will be saved to your Desktop, copy and paste this into your next post.

-----------------------------------------------------------------------------------------------------------------------------

1) Download rootkitrevealer.zip from here and save it to your Desktop.
You will need to extract the file(s) from the zipped folder.

To do this: Right-click on the zipped folder and from the menu that appears, click on Extract All...
In the Extraction Wizard window that opens, click on Next> and in the next window that appears, click on Next> again.
In the final window, click on Finish

You should now see the contents of the rootkitrevealer folder.

2) Log off from the internet and disconnect your modem cable.

3) Exit all applications and keep the system otherwise idle during the RootkitRevealer scanning process.

4) Double click RootkitRevealer.exe and click the Scan button to run it.
When the scan has completed, click on File > Save... and then click on the Save button.
The report will be saved as RootkitReveal.txt in the C:\Windows\System 32 folder - copy and paste it into your next reply.

-----------------------------------------------------------------------------------------------------------------------------

Please perform this online scan: F-Secure Online Scanner Next Generation Beta
You will need to use I.E.
1. Click on the link "F-Secure Online Scanner Next Generation Beta".
2. You may receive an alert on the address bar at this point to install the ActiveX control.
3. Click on that alert and then Click Insall ActiveX component.
4. Read the license agreement and click "Accept".
5. Click "Full System Scan" to download the scanning components and begin scan and cleaning.
6. When done click "Show report" and copy/paste its contents into your next reply.