Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Amaena and Look2me [RESOLVED]

Started by jmcconkey , Jul 26 2006 07:10 AM

  • This topic is locked This topic is locked

#1
jmcconkey
Posted 26 July 2006 - 07:10 AM

jmcconkey

    Member

  • Member
  • PipPip
  • 61 posts
I cant seem to get rid of these popups. I have ran HJT, ewido, windows defender, Adware, Spybot S&D, all them find the files, and show it clean, then when I reboot, bam they are all back. I am running the scanning in normal and in safe mode. I am at a lost and Have no clue what to do next. I have attached a copy of the HTJ below. Any help would be great. Also, can this thing capture credit card and bank info?

Thanks!

______________


ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 7:45:59 PM 7/24/2006

+ Scan result:



C:\Program Files\AWS\WeatherBug\MiniBugTransporter.dll -> Adware.Aws : Cleaned.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2\A0000210.exe -> Adware.BookedSpace : Cleaned.
C:\WINDOWS\xdpldlzq.exe -> Adware.BookedSpace : Cleaned.
C:\Program Files\System Files\plugin.dll -> Adware.CASClient : Cleaned.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1\A0000110.dll -> Adware.CommAd : Cleaned.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1\A0000111.exe -> Adware.CommAd : Cleaned.
C:\WINDOWS\ZG9ua2V5\command.exe -> Adware.CommAd : Cleaned.
C:\Documents and Settings\donkey\Desktop\hijackthis\backups\backup-20060724-115246-602.dll -> Adware.Coupons : Cleaned.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1\A0000209.ocx -> Adware.Coupons : Cleaned.
C:\WINDOWS\SYSTEM32\nse7BD9.dll -> Adware.Ezula : Cleaned.
C:\WINDOWS\SYSTEM32\gtdownls_95.ocx -> Adware.Gdown : Cleaned.
C:\Documents and Settings\donkey\Local Settings\Temp\temp.fr76D5 -> Adware.Look2Me : Cleaned.
C:\Documents and Settings\donkey\Local Settings\Temp\temp.frC746 -> Adware.Look2Me : Cleaned.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1\A0000098.exe -> Adware.Look2Me : Cleaned.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1\A0000105.exe -> Adware.Look2Me : Cleaned.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1\A0000107.dll -> Adware.Look2Me : Cleaned.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1\A0000108.dll -> Adware.Look2Me : Cleaned.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1\A0000121.dll -> Adware.Look2Me : Cleaned.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1\A0000134.dll -> Adware.Look2Me : Cleaned.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1\A0000135.dll -> Adware.Look2Me : Cleaned.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1\A0000190.dll -> Adware.Look2Me : Cleaned.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1\A0000199.dll -> Adware.Look2Me : Cleaned.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2\A0000220.DLL -> Adware.Look2Me : Cleaned.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2\A0000226.dll -> Adware.Look2Me : Cleaned.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP3\A0000240.dll -> Adware.Look2Me : Cleaned.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP3\A0000262.DLL -> Adware.Look2Me : Cleaned.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP3\A0000265.dll -> Adware.Look2Me : Cleaned.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP3\A0000268.dll -> Adware.Look2Me : Cleaned.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP3\A0000279.dll -> Adware.Look2Me : Cleaned.
C:\WINDOWS\SYSTEM32\en6sl1j71.dll -> Adware.Look2Me : Cleaned.
C:\WINDOWS\SYSTEM32\h4j4le1q1h.dll -> Adware.Look2Me : Cleaned.
C:\WINDOWS\SYSTEM32\mcxml2.dll -> Adware.Look2Me : Cleaned.
C:\WINDOWS\SYSTEM32\rJsmans.dll -> Adware.Look2Me : Cleaned.
C:\WINDOWS\SYSTEM32\rSstapi.dll -> Adware.Look2Me : Cleaned.
[700] C:\WINDOWS\system32\mjxml2.dll -> Adware.Look2Me : Cleaned.
[792] C:\WINDOWS\system32\mjxml2.dll -> Adware.Look2Me : Cleaned.
C:\Documents and Settings\donkey\Local Settings\Temp\mmxsnet.exe -> Adware.MediaMotor : Cleaned.
C:\Documents and Settings\donkey\Local Settings\Temporary Internet Files\Content.IE5\3683VX4H\mmxsnet[1].exe -> Adware.MediaMotor : Cleaned.
C:\WINDOWS\unstall.exe -> Adware.MediaMotor : Cleaned.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1\A0000101.exe -> Adware.MediaTicket : Cleaned.
C:\WINDOWS\SYSTEM32\WinNB58.dll -> Adware.Mirar : Cleaned.
C:\Documents and Settings\donkey\My Documents\Оracle\ntvdm.exe -> Adware.PurityScan : Cleaned.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1\A0000082.exe -> Adware.PurityScan : Cleaned.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1\A0000140.dll -> Adware.PurityScan : Cleaned.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1\A0000194.dll -> Adware.Softomate : Cleaned.
C:\WINDOWS\SYSTEM32\n9nyb.exe -> Adware.Suggestor : Cleaned.
C:\WINDOWS\SYSTEM32\zqskw.exe -> Adware.Suggestor : Cleaned.
C:\WINDOWS\system32n9nyb.exe -> Adware.Suggestor : Cleaned.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1\A0000186.exe -> Adware.SurfSide : Cleaned.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1\A0000189.dll -> Adware.SurfSide : Cleaned.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2\A0000221.cmd -> Backdoor.Afcore.cq : Cleaned.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP3\A0000278.dll -> Backdoor.Afcore.cr : Cleaned.
C:\Documents and Settings\donkey\Local Settings\Temp\Rem1AF.exe -> Dialer.Generic : Cleaned.
C:\kybrded_7.exe -> Downloader.Adload.cu : Cleaned.
C:\nwnmed_7.exe -> Downloader.Adload.cy : Cleaned.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1\A0000076.exe -> Downloader.Adload.de : Cleaned.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1\A0000088.exe -> Downloader.Agent.aaf : Cleaned.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1\A0000138.exe -> Downloader.Agent.aaf : Cleaned.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2\A0000222.dll -> Downloader.Agent.agw : Cleaned.
C:\WINDOWS\optimize.exe -> Downloader.Dyfuca.ey : Cleaned.
C:\Documents and Settings\donkey\Local Settings\Temporary Internet Files\Content.IE5\GBGV4L4F\get_3061_Deadaim.4.5.full_crack[1].htm -> Downloader.IstBar.u : Cleaned.
C:\installerwnusnewer.exe -> Downloader.Qoologic.at : Cleaned.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2\A0000217.exe -> Downloader.Qoologic.bj : Cleaned.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2\A0000223.dll -> Downloader.Qoologic.bj : Cleaned.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2\A0000224.exe -> Downloader.Qoologic.bj : Cleaned.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2\A0000225.exe -> Downloader.Qoologic.bj : Cleaned.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP3\A0000239.dll -> Downloader.Qoologic.bj : Cleaned.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP3\A0000257.exe -> Downloader.Qoologic.bj : Cleaned.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP3\A0000259.exe -> Downloader.Qoologic.bj : Cleaned.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP3\A0000260.exe -> Downloader.Qoologic.bj : Cleaned.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP3\A0000261.exe -> Downloader.Qoologic.bj : Cleaned.
C:\WINDOWS\SYSTEM32\wivjd.dat -> Downloader.Qoologic.bj : Cleaned.
C:\WINDOWS\SYSTEM32\wsggibd.dll -> Downloader.Qoologic.bj : Cleaned.
C:\WINDOWS\pss\jsshx.exeCommon Startup -> Downloader.Qoologic.bj : Cleaned.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1\A0000081.exe -> Downloader.Small.ajc : Cleaned.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1\A0000099.exe -> Downloader.Small.buy : Cleaned.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1\A0000100.exe -> Downloader.Small.buy : Cleaned.
C:\WINDOWS\pi1_36.exe -> Downloader.Small.cqy : Cleaned.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1\A0000097.dll -> Downloader.Small.ctp : Cleaned.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1\A0000104.exe -> Downloader.TSUpdate.o : Cleaned.
C:\Documents and Settings\donkey\Local Settings\Temporary Internet Files\Content.IE5\GBGV4L4F\amm06[1].ocx -> Downloader.VB.bo : Cleaned.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1\A0000075.ocx -> Downloader.VB.bo : Cleaned.
C:\WINDOWS\amm06.ocx -> Downloader.VB.bo : Cleaned.
G:\Downloads\sev.rar/sev.exe -> Dropper.Delf.yb : Cleaned.
G:\Downloads\sev\sev.exe -> Dropper.Delf.yb : Cleaned.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1\A0000103.exe -> Dropper.Small.qn : Cleaned.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1\A0000109.exe -> Hijacker.Small : Cleaned.
C:\Documents and Settings\donkey\Local Settings\Temporary Internet Files\Content.IE5\6LOP6ZYH\drsmartload46a[1].exe -> Hijacker.VB.fg : Cleaned.
C:\Documents and Settings\donkey\Local Settings\Temporary Internet Files\Content.IE5\L7NNP1KA\drsmartload849a[1].exe -> Hijacker.VB.fg : Cleaned.
C:\Documents and Settings\donkey\Local Settings\Temporary Internet Files\Content.IE5\SB1J6EFT\drsmartload180a[1].exe -> Hijacker.VB.fg : Cleaned.
C:\Documents and Settings\donkey\Local Settings\Temporary Internet Files\Content.IE5\SB1J6EFT\drsmartload45a[1].exe -> Hijacker.VB.fg : Cleaned.
C:\drsmartload45a7d.exe -> Hijacker.VB.fg : Cleaned.
C:\drsmartload46a7d.exe -> Hijacker.VB.fg : Cleaned.
C:\drsmartload46a7f.exe -> Hijacker.VB.fg : Cleaned.
C:\drsmartload849a7d.exe -> Hijacker.VB.fg : Cleaned.
C:\drsmartload849a7f.exe -> Hijacker.VB.fg : Cleaned.
C:\dfndred_7.exe -> Hijacker.VB.nh : Cleaned.
C:\Program Files\Common Files\Microsoft Shared\Web Components\vupdman.exe -> Logger.Agent.mz : Cleaned.
C:\Documents and Settings\donkey\Local Settings\Temp\WinAntiVirusPro2006FreeInstall.exe -> Not-A-Virus.Downloader.Win32.WinFixer.o : Cleaned.
C:\Documents and Settings\donkey\Local Settings\Temporary Internet Files\Content.IE5\GBGV4L4F\xp-cydoor-728[1].swf -> Not-A-Virus.Hoax.SWF.Alerter.a : Cleaned.
C:\Program Files\Network Monitor\netmon.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1\A0000096.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : Cleaned.
C:\WINDOWS\Downloaded Program Files\ActiveSecurity.ocx -> Not-A-Virus.VirTool.Win32.Collector : Cleaned.
:mozilla.10:C:\Documents and Settings\donkey\Application Data\Mozilla\Profiles\default\jyx66k9b.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
:mozilla.11:C:\Documents and Settings\donkey\Application Data\Mozilla\Profiles\default\jyx66k9b.slt\cookies.txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\donkey\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\donkey\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\donkey\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\donkey\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\donkey\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\donkey\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\WINDOWS\Temp\Cookies\[email protected][1].txt -> TrackingCookie.2o7 : Cleaned.
C:\Documents and Settings\donkey\Cookies\donkey@aavalue[2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\donkey\Cookies\[email protected][2].txt -> TrackingCookie.Aavalue : Cleaned.
C:\Documents and Settings\donkey\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Addynamix : Cleaned.
C:\Documents and Settings\donkey\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Adjuggler : Cleaned.
:mozilla.21:C:\Documents and Settings\donkey\Application Data\Mozilla\Profiles\default\jyx66k9b.slt\cookies.txt -> TrackingCookie.Adserver : Cleaned.
:mozilla.23:C:\Documents and Settings\donkey\Application Data\Mozilla\Profiles\default\jyx66k9b.slt\cookies.txt -> TrackingCookie.Adserver : Cleaned.
C:\Documents and Settings\donkey\Cookies\[email protected][1].txt -> TrackingCookie.Adtrak : Cleaned.
C:\Documents and Settings\donkey\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Adtrak : Cleaned.
:mozilla.18:C:\Documents and Settings\donkey\Application Data\Mozilla\Profiles\default\jyx66k9b.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned.
:mozilla.19:C:\Documents and Settings\donkey\Application Data\Mozilla\Profiles\default\jyx66k9b.slt\cookies.txt -> TrackingCookie.Advertising : Cleaned.
C:\Documents and Settings\donkey\Local Settings\Temp\Cookies\donkey@atdmt[2].txt -> TrackingCookie.Atdmt : Cleaned.
C:\WINDOWS\Temp\Cookies\donkey@atdmt[1].txt -> TrackingCookie.Atdmt : Cleaned.
C:\Documents and Settings\donkey\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Bestoffersnetworks : Cleaned.
C:\Documents and Settings\donkey\Local Settings\Temp\Cookies\donkey@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Program Files\Enigma Software Group\SpyHunter\Backup\donkey@bluestreak[1].txt.dat/Documents and Settings/donkey/Cookies/donkey@bluestreak[1].txt -> TrackingCookie.Bluestreak : Cleaned.
C:\Documents and Settings\donkey\Cookies\[email protected][1].txt -> TrackingCookie.Clickhype : Cleaned.
C:\Documents and Settings\donkey\Cookies\donkey@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\donkey\Local Settings\Temp\Cookies\donkey@cpvfeed[1].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\WINDOWS\Temp\Cookies\donkey@cpvfeed[2].txt -> TrackingCookie.Cpvfeed : Cleaned.
C:\Documents and Settings\donkey\Local Settings\Temp\Cookies\donkey@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Program Files\Enigma Software Group\SpyHunter\Backup\donkey@doubleclick[1].txt.dat/Documents and Settings/donkey/Cookies/donkey@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\WINDOWS\Temp\Cookies\donkey@doubleclick[1].txt -> TrackingCookie.Doubleclick : Cleaned.
C:\Documents and Settings\donkey\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Enhance : Cleaned.
C:\Documents and Settings\donkey\Cookies\[email protected][2].txt -> TrackingCookie.Euroclick : Cleaned.
C:\WINDOWS\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Euroclick : Cleaned.
C:\Documents and Settings\donkey\Cookies\[email protected][2].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\donkey\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Falkag : Cleaned.
C:\WINDOWS\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Falkag : Cleaned.
C:\WINDOWS\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Falkag : Cleaned.
C:\Documents and Settings\donkey\Local Settings\Temp\Cookies\donkey@fastclick[1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\donkey\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Fastclick : Cleaned.
C:\Documents and Settings\LocalService\Cookies\[email protected][2].txt -> TrackingCookie.Goclick : Cleaned.
C:\Documents and Settings\donkey\Cookies\[email protected][2].txt -> TrackingCookie.Goclick : Cleaned.
C:\Documents and Settings\donkey\Local Settings\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Goldenpalace : Cleaned.
C:\Documents and Settings\donkey\Local Settings\Temp\Cookies\donkey@goldenpalace[1].txt -> TrackingCookie.Goldenpalace : Cleaned.
C:\Documents and Settings\donkey\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\donkey\Local Settings\Temp\Cookies\donkey@hitbox[2].txt -> TrackingCookie.Hitbox : Cleaned.
C:\Documents and Settings\donkey\Cookies\donkey@kmpads[2].txt -> TrackingCookie.Kmpads : Cleaned.
C:\WINDOWS\Temp\Cookies\donkey@kmpads[2].txt -> TrackingCookie.Kmpads : Cleaned.
C:\WINDOWS\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Liveperson : Cleaned.
C:\Documents and Settings\donkey\Cookies\donkey@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\donkey\Local Settings\Temp\Cookies\donkey@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Program Files\Enigma Software Group\SpyHunter\Backup\donkey@mediaplex[1].txt.dat/Documents and Settings/donkey/Cookies/donkey@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\WINDOWS\Temp\Cookies\donkey@mediaplex[1].txt -> TrackingCookie.Mediaplex : Cleaned.
C:\Documents and Settings\donkey\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Myaffiliateprogram : Cleaned.
C:\Documents and Settings\donkey\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\donkey\Cookies\[email protected][1].txt -> TrackingCookie.Overture : Cleaned.
C:\Documents and Settings\donkey\Cookies\[email protected][2].txt -> TrackingCookie.Overture : Cleaned.
C:\Program Files\Enigma Software Group\SpyHunter\Backup\donkey@questionmarket[2].txt.dat/Documents and Settings/donkey/Cookies/donkey@questionmarket[2].txt -> TrackingCookie.Questionmarket : Cleaned.
C:\Documents and Settings\donkey\Cookies\[email protected][1].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Documents and Settings\donkey\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\WINDOWS\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Reliablestats : Cleaned.
C:\Program Files\Enigma Software Group\SpyHunter\Backup\donkey@revenue[1].txt.dat/Documents and Settings/donkey/Cookies/donkey@revenue[1].txt -> TrackingCookie.Revenue : Cleaned.
C:\Program Files\Enigma Software Group\SpyHunter\Backup\donkey@revenue[2].txt.dat/Documents and Settings/donkey/Cookies/donkey@revenue[2].txt -> TrackingCookie.Revenue : Cleaned.
:mozilla.12:C:\Documents and Settings\donkey\Application Data\Mozilla\Profiles\default\jyx66k9b.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.13:C:\Documents and Settings\donkey\Application Data\Mozilla\Profiles\default\jyx66k9b.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
:mozilla.14:C:\Documents and Settings\donkey\Application Data\Mozilla\Profiles\default\jyx66k9b.slt\cookies.txt -> TrackingCookie.Ru4 : Cleaned.
C:\WINDOWS\Temp\Cookies\[email protected][2].txt -> TrackingCookie.Ru4 : Cleaned.
C:\Documents and Settings\donkey\Cookies\[email protected][1].txt -> TrackingCookie.Searchingbooth : Cleaned.
C:\Documents and Settings\donkey\Cookies\donkey@searchingbooth[2].txt -> TrackingCookie.Searchingbooth : Cleaned.
C:\Documents and Settings\donkey\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Searchingbooth : Cleaned.
C:\Documents and Settings\donkey\Local Settings\Temp\Cookies\donkey@searchingbooth[2].txt -> TrackingCookie.Searchingbooth : Cleaned.
:mozilla.24:C:\Documents and Settings\donkey\Application Data\Mozilla\Profiles\default\jyx66k9b.slt\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.25:C:\Documents and Settings\donkey\Application Data\Mozilla\Profiles\default\jyx66k9b.slt\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.26:C:\Documents and Settings\donkey\Application Data\Mozilla\Profiles\default\jyx66k9b.slt\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.27:C:\Documents and Settings\donkey\Application Data\Mozilla\Profiles\default\jyx66k9b.slt\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
:mozilla.28:C:\Documents and Settings\donkey\Application Data\Mozilla\Profiles\default\jyx66k9b.slt\cookies.txt -> TrackingCookie.Specificclick : Cleaned.
C:\Program Files\Enigma Software Group\SpyHunter\Backup\donkey@spylog[1].txt.dat/Documents and Settings/donkey/Cookies/donkey@spylog[1].txt -> TrackingCookie.Spylog : Cleaned.
C:\Documents and Settings\donkey\Local Settings\Temp\Cookies\donkey@statcounter[2].txt -> TrackingCookie.Statcounter : Cleaned.
C:\Documents and Settings\donkey\Cookies\[email protected][2].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Documents and Settings\donkey\Cookies\donkey@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\WINDOWS\Temp\Cookies\donkey@tacoda[1].txt -> TrackingCookie.Tacoda : Cleaned.
C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][1].txt.dat/Documents and Settings/donkey/Cookies/[email protected][1].txt -> TrackingCookie.Top-banners : Cleaned.
C:\Program Files\Enigma Software Group\SpyHunter\Backup\donkey@trafficmp[1].txt.dat/Documents and Settings/donkey/Cookies/donkey@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Program Files\Enigma Software Group\SpyHunter\Backup\donkey@trafficmp[2].txt.dat/Documents and Settings/donkey/Cookies/donkey@trafficmp[2].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\WINDOWS\Temp\Cookies\donkey@trafficmp[1].txt -> TrackingCookie.Trafficmp : Cleaned.
C:\Documents and Settings\donkey\Local Settings\Temp\Cookies\donkey@tribalfusion[1].txt -> TrackingCookie.Tribalfusion : Cleaned.
C:\Documents and Settings\donkey\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Webtrendslive : Cleaned.
C:\Program Files\Enigma Software Group\SpyHunter\Backup\donkey@xxxcounter[1].txt.dat/Documents and Settings/donkey/Cookies/donkey@xxxcounter[1].txt -> TrackingCookie.Xxxcounter : Cleaned.
C:\Documents and Settings\donkey\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\donkey\Cookies\donkey@yieldmanager[1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\donkey\Local Settings\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Program Files\Enigma Software Group\SpyHunter\Backup\[email protected][2].txt.dat/Documents and Settings/donkey/Cookies/[email protected][2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\WINDOWS\Temp\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\WINDOWS\Temp\Cookies\donkey@yieldmanager[2].txt -> TrackingCookie.Yieldmanager : Cleaned.
C:\Documents and Settings\donkey\Local Settings\Temp\Cookies\donkey@zedo[2].txt -> TrackingCookie.Zedo : Cleaned.
C:\WINDOWS\Temp\Cookies\donkey@zedo[1].txt -> TrackingCookie.Zedo : Cleaned.
C:\WINDOWS\SYSTEM32\redist.dll -> Trojan.Agent.sx : Cleaned.
C:\WINDOWS\SYSTEM32\redistributor.exe -> Trojan.Agent.sx : Cleaned.
G:\Downloads\sev.rar/crack.exe -> Trojan.Delf.DM : Cleaned.
C:\Documents and Settings\donkey\Local Settings\Temporary Internet Files\Content.IE5\RFYFGLE5\!update-4020[1].0000 -> Trojan.PurityAd : Cleaned.
C:\Program Files\Μіcrosoft.NET\msconfig.exe -> Trojan.PurityAd : Cleaned.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP1\A0000079.exe -> Trojan.PurityAd : Cleaned.
C:\System Volume Information\_restore{987E0331-0F01-427C-A58A-7A2E4AABF84D}\RP2\A0000213.exe -> Trojan.Qoologic : Cleaned.
C:\Program Files\Common Files\{A8AAE904-0A60-1033-0226-030204250001}\Update.exe -> Trojan.Starter.65 : Cleaned.


::Report end


HJT LOG


Logfile of HijackThis v1.99.1
Scan saved at 9:11:20 AM, on 7/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\System32\MsPMSPSv.exe
G:\Programs\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
G:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Sonic\Backup MyPC 6\System\sbestart.exe
C:\Program Files\Sonic\Backup MyPC 6\sbewin32.exe
C:\WINDOWS\System32\dllhost.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\Program Files\Sonic\Backup MyPC 6\System\sbestart.exe
C:\Program Files\Sonic\Backup MyPC 6\sbewin32.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\donkey\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\huxkr.exe
F2 - REG:system.ini: UserInit=userinit.exe,spfncxr.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [luumur] c:\windows\system32\lmkenwy.exe
O4 - HKLM\..\Run: [HP Software Update] "G:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [k6mmN5IOU] "C:\WINDOWS\system32\wfxqhv.exe"
O4 - HKLM\..\Run: [MSConfig] C:\Documents and Settings\donkey\Desktop\msconfig.exe /auto
O4 - HKLM\..\Run: [qclxrq] C:\WINDOWS\system32\qlhgrs.exe reg_run
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Ho0qRgj7S] mdirac32.exe
O4 - HKCU\..\Run: [Wbgpmv] C:\Documents and Settings\donkey\My Documents\?racle\ntvdm.exe
O4 - HKCU\..\Run: [myrys] C:\WINDOWS\system32\qlhgrs.exe reg_run
O4 - Global Startup: Acrobat Assistant.lnk = G:\Programs\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = G:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = G:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless Sync Client.lnk = C:\Program Files\Wireless Sync\Client\Monitor.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - G:\Programs\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.instanetforms.com
O15 - Trusted Zone: http://bettysuttonsa...point2agent.com
O15 - Trusted Zone: *.realestatebybetty.com
O15 - Trusted Zone: *.verizon.net
O16 - DPF: ConferenceRoom Java Client - http://hotwired3.tec...000/java/cr.cab
O16 - DPF: PUFLITE - http://jeffmcconkey....rol/PUFLITE.CAB
O16 - DPF: Video Poker - http://download.game...ts/y/vpt0_x.cab
O16 - DPF: Yahoo! Bingo - http://download.game...nts/y/xt0_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.game...nts/y/jt0_x.cab
O16 - DPF: Yahoo! Checkers - http://download.game...nts/y/kt3_x.cab
O16 - DPF: Yahoo! Chinese Checkers - http://download.game...ts/y/cct0_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.game...ts/y/dot8_x.cab
O16 - DPF: Yahoo! Gin - http://download.game...nts/y/nt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfi...oad/tgctlcm.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.v...od/install.html
O16 - DPF: {0D859AF0-C75E-11D4-B760-00E0B81077E8} (FileCruiser Class) - http://mfr.mlxchange...FileCruiser.cab
O16 - DPF: {16FD824B-8E7B-11D2-9855-00802962956C} (Specfile Control) - http://tampabay.mlxc...ol/Specfile.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {284DAE3C-A691-11D3-AD58-00E0B8107A24} (SISCtrl Class) - http://mfr.mlxchange...ontrol/SISC.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://mfr.mlxchange...ectComboBox.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {59D04288-805E-4D43-BE09-83B1083E9E1E} (IUpdateAutoLaunch Control) - http://idenphones.mo...eAutoLaunch.ocx
O16 - DPF: {59F156FC-9BC4-11D5-B0A5-0060085A719D} (Opalplayerx5 Control) - http://opal.pascocou...palplayerx5.cab
O16 - DPF: {5A66E13A-311D-488B-828D-DDDF52EFB636} (strprint.trprints) - https://partnering.o...scriptPrint.CAB
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://pubgis.co.pin....3/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123246965718
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1133485787484
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://mfr.mlxchange...ClientUtils.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comne...iveSecurity.cab
O16 - DPF: {78523E50-56EB-11D3-B739-CAA1986A452F} (LiteGridCtl Class) - http://mfr.mlxchange...ol/LiteGrid.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://mfr.mlxchange...ol/IRCSharc.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nu.../FIX/WinATS.cab
O16 - DPF: {8AA1AE9E-9FB0-41B3-8911-89A1068A7FD1} (Installer Class) - https://www25.wirele...SyncInstall.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installen...gine/isetup.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfi...ll/gtdownls.cab
O16 - DPF: {B198A72B-B4C3-42B5-B8DA-B364E76429AA} (Cerebus Class) - http://tampabay.mlxc...trol/WebDog.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {CF392BE0-B84F-46E9-BDA9-845119819119} (IPAQSelfHelp Class) - http://isupport4.hp....SPEIPAQTool.CAB
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.shockwave...aploader_v5.cab
O16 - DPF: {F060A272-A18A-11D3-B75B-00E0B81077E8} (DropList Class) - http://tampabay.mlxc...CustomCtrls.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O20 - Winlogon Notify: Telephony - C:\WINDOWS\system32\fpn8035ue.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
  • 0

Advertisements

#2
jmcconkey
Posted 26 July 2006 - 07:49 AM

jmcconkey

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
UPDATE>>>>>

I found a program called "Look2Me-Destroyer" and I ran it. The log is below as well as an updated HJT log.

Look2Me-Destroyer V1.0.12

Scanning for infected files.....
Scan started at 7/26/2006 9:22:03 AM

Infected! C:\WINDOWS\system32\fpn8035ue.dll
Infected! C:\WINDOWS\SYSTEM32\fpn8035ue.dll
Infected! C:\WINDOWS\SYSTEM32\h60qlgd5160.dll

Attempting to delete infected files...

Attempting to delete: C:\WINDOWS\system32\fpn8035ue.dll
C:\WINDOWS\system32\fpn8035ue.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\fpn8035ue.dll
C:\WINDOWS\SYSTEM32\fpn8035ue.dll Deleted successfully!

Attempting to delete: C:\WINDOWS\SYSTEM32\h60qlgd5160.dll
C:\WINDOWS\SYSTEM32\h60qlgd5160.dll Deleted successfully!

Making registry repairs.

Removing: HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\Telephony

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{5DEC001B-B1E2-4ACA-BBAC-7001B6C18E7F}"
HKCR\Clsid\{5DEC001B-B1E2-4ACA-BBAC-7001B6C18E7F}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{C4F94BBB-AFB4-49E1-BAF5-EAC5057FA1A4}"
HKCR\Clsid\{C4F94BBB-AFB4-49E1-BAF5-EAC5057FA1A4}

Removing: HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved "{DC13B990-FF90-4889-A5DB-6785510E62BC}"
HKCR\Clsid\{DC13B990-FF90-4889-A5DB-6785510E62BC}

Restoring Windows certificates.

Replaced hosts file with default windows hosts file


Restoring SeDebugPrivilege for Administrators - Succeeded

.>
>
>
>
>


HJT LOG>>>>

Logfile of HijackThis v1.99.1
Scan saved at 9:50:46 AM, on 7/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
G:\Programs\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\Program Files\Wireless Sync\Client\Monitor.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\Program Files\Wireless Sync\Client\Monitor.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
G:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\donkey\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\huxkr.exe
F2 - REG:system.ini: UserInit=userinit.exe,spfncxr.exe
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [luumur] c:\windows\system32\lmkenwy.exe
O4 - HKLM\..\Run: [HP Software Update] "G:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [k6mmN5IOU] "C:\WINDOWS\system32\wfxqhv.exe"
O4 - HKLM\..\Run: [MSConfig] C:\Documents and Settings\donkey\Desktop\msconfig.exe /auto
O4 - HKLM\..\Run: [qclxrq] C:\WINDOWS\system32\qlhgrs.exe reg_run
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Ho0qRgj7S] mdirac32.exe
O4 - HKCU\..\Run: [Wbgpmv] C:\Documents and Settings\donkey\My Documents\?racle\ntvdm.exe
O4 - HKCU\..\Run: [myrys] C:\WINDOWS\system32\qlhgrs.exe reg_run
O4 - Global Startup: Acrobat Assistant.lnk = G:\Programs\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = G:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = G:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless Sync Client.lnk = C:\Program Files\Wireless Sync\Client\Monitor.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - G:\Programs\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: *.instanetforms.com
O15 - Trusted Zone: http://bettysuttonsa...point2agent.com
O15 - Trusted Zone: *.realestatebybetty.com
O15 - Trusted Zone: *.verizon.net
O16 - DPF: ConferenceRoom Java Client - http://hotwired3.tec...000/java/cr.cab
O16 - DPF: PUFLITE - http://jeffmcconkey....rol/PUFLITE.CAB
O16 - DPF: Video Poker - http://download.game...ts/y/vpt0_x.cab
O16 - DPF: Yahoo! Bingo - http://download.game...nts/y/xt0_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.game...nts/y/jt0_x.cab
O16 - DPF: Yahoo! Checkers - http://download.game...nts/y/kt3_x.cab
O16 - DPF: Yahoo! Chinese Checkers - http://download.game...ts/y/cct0_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.game...ts/y/dot8_x.cab
O16 - DPF: Yahoo! Gin - http://download.game...nts/y/nt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfi...oad/tgctlcm.cab
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.v...od/install.html
O16 - DPF: {0D859AF0-C75E-11D4-B760-00E0B81077E8} (FileCruiser Class) - http://mfr.mlxchange...FileCruiser.cab
O16 - DPF: {16FD824B-8E7B-11D2-9855-00802962956C} (Specfile Control) - http://tampabay.mlxc...ol/Specfile.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {284DAE3C-A691-11D3-AD58-00E0B8107A24} (SISCtrl Class) - http://mfr.mlxchange...ontrol/SISC.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://mfr.mlxchange...ectComboBox.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {59D04288-805E-4D43-BE09-83B1083E9E1E} (IUpdateAutoLaunch Control) - http://idenphones.mo...eAutoLaunch.ocx
O16 - DPF: {59F156FC-9BC4-11D5-B0A5-0060085A719D} (Opalplayerx5 Control) - http://opal.pascocou...palplayerx5.cab
O16 - DPF: {5A66E13A-311D-488B-828D-DDDF52EFB636} (strprint.trprints) - https://partnering.o...scriptPrint.CAB
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://pubgis.co.pin....3/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123246965718
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1133485787484
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://mfr.mlxchange...ClientUtils.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comne...iveSecurity.cab
O16 - DPF: {78523E50-56EB-11D3-B739-CAA1986A452F} (LiteGridCtl Class) - http://mfr.mlxchange...ol/LiteGrid.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://mfr.mlxchange...ol/IRCSharc.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nu.../FIX/WinATS.cab
O16 - DPF: {8AA1AE9E-9FB0-41B3-8911-89A1068A7FD1} (Installer Class) - https://www25.wirele...SyncInstall.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installen...gine/isetup.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfi...ll/gtdownls.cab
O16 - DPF: {B198A72B-B4C3-42B5-B8DA-B364E76429AA} (Cerebus Class) - http://tampabay.mlxc...trol/WebDog.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {CF392BE0-B84F-46E9-BDA9-845119819119} (IPAQSelfHelp Class) - http://isupport4.hp....SPEIPAQTool.CAB
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.shockwave...aploader_v5.cab
O16 - DPF: {F060A272-A18A-11D3-B75B-00E0B81077E8} (DropList Class) - http://tampabay.mlxc...CustomCtrls.cab
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
  • 0

#3
Crustyoldbloke
Posted 26 July 2006 - 07:50 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello jmcconkey and welcome to Geeks to Go

As an introduction, please note that I am not Superhuman, I do not know everything, but what I do know has taken me years to learn. I am happy to pass on this information to you, but please bear in mind that I am also fallible.

Please note that you should have Administrator rights to perform the fixes. Also note that multiple identity PC’s (family PC’s) present a different problem; please tell me if your PC has more than one individual’s setting, but continue with the fix.

Before we get underway, you may wish to print these instructions for easy reference during the fix, although please be aware that many of the required URLs are hyperlinks in the red names shown on your screen. Part of the fix may require you to be in Safe Mode, which will not allow you to access the internet, or my instructions!

You have a very poorly PC with a few different infections. Let’s see what we can do.

Firstly could you please disable Windows Defender. Open Windows Defender. Click Tools, and then click General Settings. Under Protection options, clear the Use Windows Defender to help protect my computer check box. Then click Save

Also please disable Ewido Guard from running. Right click on the orange icon in the taskbar (near the clock) and uncheck Resident Shield. The icon will change to a grey colour.

When your PC has been declared clean, please only enable one of those two programmes to run in real-time. All others should be used as “on demand” scanners. Having more than one antispyware programme running in real-time will cause slowness and even conflicts.

Please download Look2Me-Destroyer.exe to your desktop.
  • Close all windows before continuing.
  • Double-click Look2Me-Destroyer.exe to run it.
  • Put a checkmark or tick next to Run this programme as a task.
  • You will receive a message saying Look2Me-Destroyer will close and re-open in approximately 10 seconds. Click OK
  • When Look2Me-Destroyer re-opens, click the Scan for L2M button, your desktop icons will disappear, this is normal.
  • Once it's done scanning, click the Remove L2M button.
  • You will receive a Done Scanning message, click OK.
  • When completed, you will receive this message: Done removing infected files! Look2Me-Destroyer will now shutdown your computer, click OK.
  • Your computer will then shutdown.
  • Turn your computer back on.
  • Please post the contents of C:\Look2Me-Destroyer.txt
If you receive a message from your firewall about this program accessing the internet please allow it.

If you receive a runtime error '339' please download MSWINSCK.OCX from the link below and place it in your C:\Windows\System32 Directory.
http://www.ascentive...ib/MSWINSCK.OCX

Please download the following programmes, we will run them later. Please save them to a place that you will remember, I suggest the Desktop:

Killbox by Option^Explicit
CCleaner
combofix.exe

Double click combofix.exe & follow the prompts.

When it has finished, it will produce a log. Please post that log in your next reply.

Note: Do not mouseclick combofix's window whilst it's running. That may cause it to stall

Right click on this link Del 015 Domains.inf and choose Save (link) As. Save it to your desktop. Right click on that file and choose Install. It will run immediately (you won't be able to see anything happen). You may delete it afterwards

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\system32\huxkr.exe
F2 - REG:system.ini: UserInit=userinit.exe,spfncxr.exe
O4 - HKLM\..\Run: [luumur] c:\windows\system32\lmkenwy.exe
O4 - HKLM\..\Run: [k6mmN5IOU] "C:\WINDOWS\system32\wfxqhv.exe"
O4 - HKLM\..\Run: [qclxrq] C:\WINDOWS\system32\qlhgrs.exe reg_run
O4 - HKCU\..\Run: [Ho0qRgj7S] mdirac32.exe
O4 - HKCU\..\Run: [myrys] C:\WINDOWS\system32\qlhgrs.exe reg_run
O15 - Trusted Zone: *.instanetforms.com
O15 - Trusted Zone: http://bettysuttonsa...point2agent.com
O15 - Trusted Zone: *.realestatebybetty.com
O15 - Trusted Zone: *.verizon.net
O16 - DPF: PUFLITE - http://jeffmcconkey....rol/PUFLITE.CAB
O16 - DPF: {03F998B2-0E00-11D3-A498-00104B6EB52E} - https://components.v...od/install.html
O16 - DPF: {0D859AF0-C75E-11D4-B760-00E0B81077E8} (FileCruiser Class) - http://mfr.mlxchange...FileCruiser.cab
O16 - DPF: {16FD824B-8E7B-11D2-9855-00802962956C} (Specfile Control) - http://tampabay.mlxc...ol/Specfile.cab
O16 - DPF: {1D0D9077-3798-49BB-9058-393499174D5D} - file://c:\counter.cab
O16 - DPF: {284DAE3C-A691-11D3-AD58-00E0B8107A24} (SISCtrl Class) - http://mfr.mlxchange...ontrol/SISC.cab
O16 - DPF: {41F17733-B041-4099-A042-B518BB6A408C} - http://a1540.g.akama...meInstaller.exe
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://mfr.mlxchange...ectComboBox.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://mfr.mlxchange...ClientUtils.cab
O16 - DPF: {75D1F3B2-2A21-11D7-97B9-0010DC2A6243} (SecureLogin.SecureControl) - http://secure2.comne...iveSecurity.cab
O16 - DPF: {78523E50-56EB-11D3-B739-CAA1986A452F} (LiteGridCtl Class) - http://mfr.mlxchange...ol/LiteGrid.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://mfr.mlxchange...ol/IRCSharc.cab
O16 - DPF: {8A0DCBDB-6E20-489C-9041-C1E8A0352E75} - http://awbeta.net-nu.../FIX/WinATS.cab
O16 - DPF: {B198A72B-B4C3-42B5-B8DA-B364E76429AA} (Cerebus Class) - http://tampabay.mlxc...trol/WebDog.cab
O16 - DPF: {DBA230D1-8467-4e69-987E-5FAE815A3B45} -
O16 - DPF: {DF780F87-FF2B-4DF8-92D0-73DB16A1543A} - http://www.shockwave...aploader_v5.cab
O16 - DPF: {F060A272-A18A-11D3-B75B-00E0B81077E8} (DropList Class) - http://tampabay.mlxc...CustomCtrls.cab
O20 - Winlogon Notify: Telephony - C:\WINDOWS\system32\fpn8035ue.dll

Now close all windows other than HiJackThis, then click Fix Checked.

Please install Killbox by Option^Explicit.
  • Please double-click Killbox.exe to run it.
  • Select Delete on Reboot
  • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\system32\huxkr.exe
C:\WINDOWS\system32\spfncxr.exe
c:\windows\system32\lmkenwy.exe
C:\WINDOWS\system32\wfxqhv.exe
C:\WINDOWS\system32\qlhgrs.exe reg_run
C:\WINDOWS\system32\mdirac32.exe
C:\WINDOWS\system32\fpn8035ue.dll
  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

There is almost certainly bound to be some junk (leftover bits and pieces) on your system that is doing nothing but taking up space. I would recommend that you run CCleaner. Install it, check the default setting in the left-hand pane, ensure you uncheck old prefetch data found under the system tab, and under the heading of Utilities uncheck Ewido Security Suite log then click Analyze> Run Cleaner. You may be fairly surprised by how much it finds. Also click Issues then Scan for issues – fix selected issues

Go to START > RUN > type in msconfig > hit ENTER > STARTUP > check ENABLE ALL > APPLY > OK > REBOOT.

Post back a fresh HijackThis log (from normal mode) and I will take another look. (3 logs in total)
  • 0

#4
Crustyoldbloke
Posted 26 July 2006 - 07:52 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Just saw your second post. Please continue with the fix except for the Look2me destroyer part.
  • 0

#5
jmcconkey
Posted 26 July 2006 - 08:53 AM

jmcconkey

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
Thanks for your reply...okay here is where I am...I ran the combofix and the log file is below. I also installed the Del 015 Domains.inf. I then opened HTJ and fixed the files listed on your post. I then ran Killbox and I did get the PendingFileRenameOperations prompt. I selected Yes, but when I did the prompt went away, but the PC did not restart. I restarted the PC myself, and then I ran HTJ again. I have listed the log for it below.

COMBOFIX LOG -->>>>>

Start Time= Wed 07/26/2006 10:02:36.67
Running from: C:\Documents and Settings\donkey\Desktop

((((((((((((((((((((((((((((((((((((((((((((( Qoologic's Log )))))))))))))))))))))))))))))))))))))))))))))))))))

10:05:57.59

Not all files found by this method are bad. There may be legitimate files found
This log should be examined by a trained analyst


* * * PRE-RUN - Filepaths extracted from the Registry * * * * * * * * * * * * * * * * * * * * * *




* * * PRE-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-07-23 09:14:38 45,056 "C:\WINDOWS\SYSTEM32\ghynf.exe"
2006-06-24 20:31:50 34,308 "C:\WINDOWS\SYSTEM32\BASSMOD.dll"
2006-07-24 13:01:12 24 "C:\WINDOWS\SYSTEM32\KBDNX.dat"
2006-07-24 13:08:10 507 "C:\WINDOWS\pgnmi.dll"
2006-07-23 14:48:06 53 "C:\WINDOWS\bwbeqq.dat"


* * * POST-RUN - Files in the Quarantine folder * * * * * * * * * * * * * * * * * * * * * * * * *


07/23/2006 02:48 PM 53 bwbeqq.dat.vir


DO NOT DELETE ANY FILES FROM THIS DIRECTORY UNLESS INSTRUCTED TO


* * * POST-RUN - Filepaths from Locate * * * * * * * * * * * * * * * * * * * * * * * * * * * * * *


2006-07-23 09:14:38 45,056 "C:\WINDOWS\SYSTEM32\ghynf.exe"
2006-06-24 20:31:50 34,308 "C:\WINDOWS\SYSTEM32\BASSMOD.dll"
2006-07-24 13:01:12 24 "C:\WINDOWS\SYSTEM32\KBDNX.dat"
2006-07-24 13:08:10 507 "C:\WINDOWS\pgnmi.dll"


(((((((((((((((((((((((((((((((((((((((((((( Other Deletions )))))))))))))))))))))))))))))))))))))))))))))))))


C:\drsmartload.exe
C:\drsmartload45a7f.exe
C:\dfndref_7.exe
C:\nwnmef_7.exe
C:\kybrdef_7.exe
C:\Documents and Settings\donkey\Local Settings\Temporary Internet Files\Content.IE5\3683VX4H\drsmartload45a[1].exe
C:\Documents and Settings\donkey\Local Settings\Temporary Internet Files\Content.IE5\GBGV4L4F\dfndref_7[1].exe
C:\Documents and Settings\donkey\Local Settings\Temporary Internet Files\Content.IE5\L7NNP1KA\nwnmef_7[1].exe
C:\Documents and Settings\donkey\Local Settings\Temporary Internet Files\Content.IE5\SB1J6EFT\kybrdef_7[1].exe
C:\WINDOWS\newname.dat
C:\WINDOWS\keyboard1.dat
C:\Documents and Settings\NetworkService\Application Data\NetMon


(((((((((((((((((((((((((((((((((((((((((((((((( Find3M Report )))))))))))))))))))))))))))))))))))))))))))))))))))))


2006-07-24 16:39:54 ( .D... ) "C:\Program Files\ewido anti-spyware 4.0"
2006-07-24 16:14:52 77312 ( A.... ) "C:\WINDOWS\SYSTEM32\VundoFix.exe"
2006-07-24 13:08:10 507 ( A.... ) "C:\WINDOWS\pgnmi.dll"
2006-07-24 09:34:50 2 ( A.... ) "C:\WINDOWS\SYSTEM32\wnsintsv.exe"
2006-07-24 07:06:04 ( .D... ) "C:\Program Files\Enigma Software Group"
2006-07-24 06:51:54 ( .D... ) "C:\Documents and Settings\donkey\Application Data\Registry Booster"
2006-07-23 09:16:58 ( .D... ) "C:\Program Files\System Icons"
2006-07-23 09:16:58 ( .D... ) "C:\Program Files\System Files"
2006-07-23 09:16:58 ( .D... ) "C:\Program Files\InetGet2"
2006-07-23 09:16:48 500512 ( A.... ) "C:\626_101newer.exe"
2006-07-23 09:16:04 ( .D... ) "C:\Documents and Settings\donkey\Application Data\a?sembly"
2006-07-23 09:15:52 ( .D... ) "C:\Program Files\Common Files\ofuf"
2006-07-23 09:15:20 260376 ( A.... ) "C:\visfx500new.exe"
2006-07-23 09:15:04 32976 ( A.... ) "C:\WINDOWS\SYSTEM32\uninstIcn.exe"
2006-07-23 09:14:48 359634 ( A.... ) "C:\WINDOWS\media_motor_bundle.exe"
2006-07-23 09:14:40 28672 ( A.... ) "C:\WINDOWS\system32bez6n4r21.exe"
2006-07-23 09:14:40 0 ( A.... ) "C:\WINDOWS\system32ghynf.exe"
2006-07-23 09:14:38 45056 ( A.... ) "C:\WINDOWS\SYSTEM32\ghynf.exe"
2006-07-23 09:14:38 28672 ( A.... ) "C:\WINDOWS\SYSTEM32\bez6n4r21.exe"
2006-07-23 09:14:32 57344 ( A.... ) "C:\fym9bvo.exe"
2006-07-23 09:14:30 ( .D... ) "C:\Program Files\??crosoft.NET"
2006-07-23 09:14:26 ( .D... ) "C:\Program Files\Common Files\{A8AAE904-0A60-1033-0226-030204250001}"
2006-07-20 16:30:00 159744 ( A.... ) "C:\WINDOWS\SYSTEM32\cvn0.exe"
2006-07-02 16:12:12 ( .D... ) "C:\Program Files\AnMing"
2006-06-30 21:09:50 2508 ( A.... ) "C:\Documents and Settings\donkey\Application Data\$_hpcst$.hpc"
2006-06-30 20:15:26 ( .D... ) "C:\Program Files\Wireless Sync"
2006-06-26 18:12:18 ( .D... ) "C:\Program Files\Power Email Verifier"
2006-06-26 18:06:48 356352 ( A.... ) "C:\WINDOWS\eSellerateEngine.dll"
2006-06-26 17:56:54 ( .D... ) "C:\Program Files\Common Files\DeskShare Shared"
2006-06-26 17:56:52 ( .D... ) "C:\Program Files\Deskshare"
2006-06-24 21:18:30 ( .D... ) "C:\Program Files\Macromedia"
2006-06-24 20:31:50 34308 ( A.... ) "C:\WINDOWS\SYSTEM32\BASSMOD.dll"
2006-06-24 14:10:46 ( .D... ) "C:\Documents and Settings\donkey\Application Data\Blumentals"
2006-06-21 18:38:40 235228 ( A.... ) "C:\WINDOWS\SYSTEM32\icon_mediamotor.exe"
2006-06-21 18:38:16 115239 ( A.... ) "C:\WINDOWS\SYSTEM32\ts_mediamotor.exe"
2006-06-19 18:53:14 ( .D... ) "C:\Program Files\Windows Defender"
2006-06-02 10:32:08 24576 ( A.... ) "C:\WINDOWS\SYSTEM32\rmoc3260.dll"


(((((((((((((((((((((((((((((((((((((( Files Created - Last 30days )))))))))))))))))))))))))))))))))))))))))))


2006-07-24 19:48 1,072,750,592 C:\hiberfil.sys
2006-07-24 16:14 77,312 C:\WINDOWS\system32\VundoFix.exe
2006-07-23 09:16 500,512 C:\626_101newer.exe
2006-07-23 09:16 2 C:\WINDOWS\system32\wnsintsv.exe
2006-07-23 09:15 32,976 C:\WINDOWS\system32\uninstIcn.exe
2006-07-23 09:15 260,376 C:\visfx500new.exe
2006-07-23 09:14 57,344 C:\fym9bvo.exe
2006-07-23 09:14 507 C:\WINDOWS\pgnmi.dll
2006-07-23 09:14 45,056 C:\WINDOWS\system32\ghynf.exe
2006-07-23 09:14 359,634 C:\WINDOWS\media_motor_bundle.exe
2006-07-23 09:14 28,672 C:\WINDOWS\system32bez6n4r21.exe
2006-07-23 09:14 28,672 C:\WINDOWS\system32\bez6n4r21.exe
2006-07-23 09:14 159,744 C:\WINDOWS\system32\cvn0.exe
2006-07-23 09:14 0 C:\WINDOWS\system32ghynf.exe
2006-07-02 16:12 65,536 C:\WINDOWS\system32\a1.dll
2006-07-02 16:12 520,192 C:\WINDOWS\system32\wscma2u.exe
2006-07-02 16:12 278,528 C:\WINDOWS\system32\ammpp.dll
2006-07-02 16:12 193,536 C:\WINDOWS\system32\atomid.exe
2006-06-26 18:06 356,352 C:\WINDOWS\eSellerateEngine.dll
2006-06-24 20:31 34,308 C:\WINDOWS\system32\BASSMOD.dll
2006-06-21 18:38 235,228 C:\WINDOWS\system32\icon_mediamotor.exe
2006-06-21 18:38 115,239 C:\WINDOWS\system32\ts_mediamotor.exe


(((((((((((((((((((((((((((((((((((((((((( Reg Loading Points ))))))))))))))))))))))))))))))))))))))))))))))))

*Note* empty entries are not shown

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run]
"Share-to-Web Namespace Daemon"="C:\\Program Files\\Hewlett-Packard\\HP Share-to-Web\\hpgs2wnd.exe"
"RoxioDragToDisc"="\"C:\\Program Files\\Roxio\\Easy Media Creator 7\\Drag to Disc\\DrgToDsc.exe\""
"QuickTime Task"="\"C:\\Program Files\\QuickTime\\qttask.exe\" -atboottime"
"PinnacleDriverCheck"="C:\\WINDOWS\\System32\\PSDrvCheck.exe"
"luumur"="c:\\windows\\system32\\lmkenwy.exe"
"HP Software Update"="\"G:\\Program Files\\HP\\HP Software Update\\HPWuSchd2.exe\""
"gcasServ"="\"C:\\Program Files\\Microsoft AntiSpyware\\gcasServ.exe\""
"DeadAIM"="rundll32.exe \"C:\\Program Files\\AIM95\\\\DeadAIM.ocm\",ExportedCheckODLs"
"AdaptecDirectCD"="C:\\Program Files\\Adaptec\\Easy CD Creator 5\\DirectCD\\DirectCD.exe"
"k6mmN5IOU"="\"C:\\WINDOWS\\system32\\wfxqhv.exe\""
"MSConfig"="C:\\Documents and Settings\\donkey\\Desktop\\msconfig.exe /auto"
"!ewido"="\"C:\\Program Files\\ewido anti-spyware 4.0\\ewido.exe\" /minimized"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\IMAIL]
"Installed"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MAPI]
"Installed"="1"
"NoChange"="1"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\run\OptionalComponents\MSFS]
"Installed"="1"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\run]
"H/PC Connection Agent"="\"C:\\Program Files\\Microsoft ActiveSync\\wcescomm.exe\""
"Ho0qRgj7S"="mdirac32.exe"
"Wbgpmv"="C:\\Documents and Settings\\donkey\\My Documents\\?racle\\ntvdm.exe"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex]
"flags"=dword:00000008

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\runonceex\000]

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer]
@=""
"NoDriveTypeAutoRun"=hex:5f,00,00,00
"NoCDBurning"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\explorer\Run]
"UpdateManager"="C:\\Program Files\\Common Files\\Microsoft Shared\\Web Components\\vupdman.exe"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\explorer\run]
"{A8AAE904-0A60-1033-0226-030204250001}"="\"C:\\Program Files\\Common Files\\{A8AAE904-0A60-1033-0226-030204250001}\\Update.exe\" mc-110-12-0000103"

[HKEY_CURRENT_USER\software\microsoft\windows\currentversion\policies\system]
"Ghp`amfUbrhLds"=dword:00000000
"DisableTaskMgr"=dword:00000000
"DisableRegistryTools"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components]
"DeskHtmlVersion"=dword:00000110
"DeskHtmlMinorVersion"=dword:00000005
"Settings"=dword:00000001
"GeneralFlags"=dword:00000000

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\0]
"Source"="C:\\Program Files\\microsoft frontpage\\kyzesep.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,e8,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\1]
"Source"="C:\\Program Files\\ComPlus Applications\\howyqymih.html"
"SubscribedURL"=""
"FriendlyName"=""
"Flags"=dword:00002000
"Position"=hex:2c,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,00,00,ea,\
03,00,00,00,00,00,00,00,00,00,00,00,00,00,00,14,00,00,00,14,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,64,00,00,00,64,00,00,00,58,02,00,00,c8,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,00,00,00,00

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\2]
"Source"="file:///C:/DOCUME~1/donkey/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg"
"SubscribedURL"="file:///C:/DOCUME~1/donkey/LOCALS~1/Temp/msohtml1/01/clip_image002.jpg"
"FriendlyName"=""
"Flags"=dword:00002001
"Position"=hex:2c,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,ec,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000001
"OriginalStateInfo"=hex:18,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,00,\
00,00,01,00,00,00
"RestoredStateInfo"=hex:dc,ff,b8,01,f3,99,83,7c,70,9a,80,7c,ff,ff,ff,ff,66,9a,\
80,7c,66,9a,80,7c

[HKEY_CURRENT_USER\software\microsoft\internet explorer\desktop\components\3]
"Source"="About:Home"
"SubscribedURL"="About:Home"
"FriendlyName"="My Current Home Page"
"Flags"=dword:00000002
"Position"=hex:2c,00,00,00,00,01,00,00,00,00,00,00,00,04,00,00,de,03,00,00,ee,\
03,00,00,01,00,00,00,01,00,00,00,01,00,00,00,00,00,00,00,00,00,00,00
"CurrentState"=dword:40000004
"OriginalStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,04,00,00,40
"RestoredStateInfo"=hex:18,00,00,00,cc,00,00,00,00,00,00,00,34,03,00,00,e2,02,\
00,00,01,00,00,00

[HKEY_USERS\.default\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=""

[HKEY_USERS\.default\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\runonce]
"RunNarrator"=""

[HKEY_USERS\s-1-5-18\software\microsoft\windows\currentversion\policies\explorer]
"NoDriveTypeAutoRun"=dword:00000091
"CDRAutoRun"=dword:00000000

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\sharedtaskscheduler]
"{438755C2-A8BA-11D1-B96B-00A0C90312E1}"="Browseui preloader"
"{8C7461EF-2B13-11d2-BE35-3078302C2030}"="Component Categories cache daemon"

[HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\explorer\shellexecutehooks]
"{AEB6717E-7E19-11d0-97EE-00C04FD91972}"=""
"{091EB208-39DD-417D-A5DD-7E2C2D8FB9CB}"="Microsoft AntiMalware ShellExecuteHook"
"{57B86673-276A-48B2-BAE7-C6DBB3020EB8}"="ewido anti-spyware 4.0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^eFax Tray Menu 4.0.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\eFax Tray Menu 4.0.lnk"
"backup"="C:\\WINDOWS\\pss\\eFax Tray Menu 4.0.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\EFAXME~1.0\\J2GTray.exe "
"item"="eFax Tray Menu 4.0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^jsshx.exe]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\jsshx.exe"
"backup"="C:\\WINDOWS\\pss\\jsshx.exeCommon Startup"
"location"="Common Startup"
"command"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\jsshx.exe"
"item"="jsshx"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^All Users^Start Menu^Programs^Startup^QuickBooks Update Agent.lnk]
"path"="C:\\Documents and Settings\\All Users\\Start Menu\\Programs\\Startup\\QuickBooks Update Agent.lnk"
"backup"="C:\\WINDOWS\\pss\\QuickBooks Update Agent.lnkCommon Startup"
"location"="Common Startup"
"command"="C:\\PROGRA~1\\COMMON~1\\Intuit\\QUICKB~1\\QBUpdate\\qbupdate.exe "
"item"="QuickBooks Update Agent"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupfolder\C:^Documents and Settings^donkey^Start Menu^Programs^Startup^Registration-InstantCopy.lnk]
"path"="C:\\Documents and Settings\\donkey\\Start Menu\\Programs\\Startup\\Registration-InstantCopy.lnk"
"backup"="C:\\WINDOWS\\pss\\Registration-InstantCopy.lnkStartup"
"location"="Startup"
"command"="C:\\PROGRA~1\\Pinnacle\\SHARED~1\\INSTAN~1\\Pixie\\RegTool.exe InstantCopy,INSCPY,register,EN,0,serial=AAOUQ-AAKBF-FYGSU-YMMDA-BHDMA"
"item"="Registration-InstantCopy"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\0Frk3mP]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="mgmazel"
"hkey"="HKLM"
"command"="mgmazel.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\acc]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="acc"
"hkey"="HKCU"
"command"="C:\\PROGRA~1\\acc\\acc.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\ACTX1]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="v1201"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\v1201.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\AltnetPointsManager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="points manager"
"hkey"="HKLM"
"command"="c:\\program files\\altnet\\points manager\\points manager.exe -s"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\BullsEye Network]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="bargains"
"hkey"="HKLM"
"command"="C:\\Program Files\\BullsEye Network\\bin\\bargains.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS]

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\C:\WINDOWS\VCMnet11.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="VCMnet11"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\VCMnet11.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\cfgmgr52]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cfgmgr52"
"hkey"="HKLM"
"command"="RunDLL32.EXE C:\\WINDOWS\\cfgmgr52.dll,DllRun"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\checkrun]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="elitepbe32"
"hkey"="HKLM"
"command"="C:\\windows\\system32\\elitepbe32.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Configuration Manager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="cfg32"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\cfg32.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\defender]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="dfndref_7"
"hkey"="HKLM"
"command"="c:\\\\dfndref_7.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\doucyc]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="pqicfcu"
"hkey"="HKLM"
"command"="c:\\windows\\system32\\pqicfcu.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\exp.exe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="exp"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\exp.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\IpWins]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ipwins"
"hkey"="HKLM"
"command"="C:\\Program Files\\ipwins\\ipwins.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\k6mmN5IOU]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wfxqhv"
"hkey"="HKLM"
"command"="\"C:\\WINDOWS\\system32\\wfxqhv.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\keyboard]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="kybrdef_7"
"hkey"="HKLM"
"command"="c:\\\\kybrdef_7.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\MoneyStartUp10.0]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Activation"
"hkey"="HKLM"
"command"="\"G:\\Programs\\Microsoft Money\\System\\Activation.exe\""
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\msnmsgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="msnmsgr"
"hkey"="HKCU"
"command"="\"C:\\Program Files\\MSN Messenger\\msnmsgr.exe\" /background"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\myrys]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qlhgrs"
"hkey"="HKCU"
"command"="C:\\WINDOWS\\system32\\qlhgrs.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Ncao]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="urpo"
"hkey"="HKCU"
"command"="C:\\Documents and Settings\\donkey\\Application Data\\urpo.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\newname]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="nwnmef_7"
"hkey"="HKLM"
"command"="c:\\\\nwnmef_7.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\qclxrq]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="qlhgrs"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\system32\\qlhgrs.exe reg_run"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SpyHunter]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="SpyHunter"
"hkey"="HKLM"
"command"="C:\\Program Files\\Enigma Software Group\\SpyHunter\\SpyHunter.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\SurfSideKick 3]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="Ssk"
"hkey"="HKLM"
"command"="C:\\Program Files\\SurfSideKick 3\\Ssk.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TBPS]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="TBPS"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\Toolbar\\TBPS.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\TkBellExe]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="realsched"
"hkey"="HKLM"
"command"="\"C:\\Program Files\\Common Files\\Real\\Update_OB\\realsched.exe\" -osboot"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\uoltray]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="exec"
"hkey"="HKCU"
"command"="C:\\Program Files\\NetZero\\exec.exe regrun"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\updmgr]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="updmgr"
"hkey"="HKLM"
"command"="C:\\Program Files\\Common files\\updmgr\\updmgr.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\UpdReg]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="UpdReg"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\UpdReg.EXE"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\VOBRegCheck]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="VOBREGCheck"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\System32\\VOBREGCheck.exe -CheckReg"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WatchDog]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WatchDog"
"hkey"="HKLM"
"command"="C:\\Program Files\\mobile PhoneTools\\WatchDog.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Win Server Updt]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="wupdt"
"hkey"="HKLM"
"command"="C:\\WINDOWS\\wupdt.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\WinTools]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="WToolsA"
"hkey"="HKLM"
"command"="C:\\PROGRA~1\\COMMON~1\\WinTools\\WToolsA.exe"
"inimapping"="0"

[HKEY_LOCAL_MACHINE\software\microsoft\shared tools\msconfig\startupreg\Yahoo! Pager]
"key"="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run"
"item"="ypager"
"hkey"="HKCU"
"command"="C:\\Program Files\\Yahoo!\\Messenger\\ypager.exe -quiet"
"inimapping"="0"

HKEY_LOCAL_MACHINE\system\currentcontrolset\control\safeboot\minimal\WinDefend


Contents of the 'Scheduled Tasks' folder
C:\WINDOWS\tasks\At1.job
C:\WINDOWS\tasks\At2.job
C:\WINDOWS\tasks\Automatic Differential Backup.job
C:\WINDOWS\tasks\Automatic Full Backup.job
C:\WINDOWS\tasks\DEFRAG.job
C:\WINDOWS\tasks\MP Scheduled Scan.job
C:\WINDOWS\tasks\Mydocs&Email.job
C:\WINDOWS\tasks\RoxioBackup MyDocs&Outlook.job
C:\WINDOWS\tasks\{1EAD00A2-558C-481A-BCEA-DED0181E0404}_BUTCH_donkey.job
C:\WINDOWS\tasks\{E643B8F5-965C-4030-B6C9-3F0AB4EA1DED}_BUTCH_donkey.job
C:\WINDOWS\tasks\{EAE20476-9F54-409C-A3DE-81D354C39FA6}_BUTCH_donkey.job

Completion time: Wed 07/26/2006 10:12:51.54
ComboFix ver 06.07.15 - This logfile is located at C:\ComboFix.txt


HTJ LOG ----->>>>

Logfile of HijackThis v1.99.1
Scan saved at 10:54:59 AM, on 7/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
G:\Programs\Adobe\Acrobat 6.0\Distillr\acrotray.exe
G:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\Wireless Sync\Client\Monitor.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\Program Files\Wireless Sync\Client\Monitor.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
G:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\donkey\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [RoxioDragToDisc] "C:\Program Files\Roxio\Easy Media Creator 7\Drag to Disc\DrgToDsc.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [HP Software Update] "G:\Program Files\HP\HP Software Update\HPWuSchd2.exe"
O4 - HKLM\..\Run: [gcasServ] "C:\Program Files\Microsoft AntiSpyware\gcasServ.exe"
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [AdaptecDirectCD] C:\Program Files\Adaptec\Easy CD Creator 5\DirectCD\DirectCD.exe
O4 - HKLM\..\Run: [MSConfig] C:\Documents and Settings\donkey\Desktop\msconfig.exe /auto
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Wbgpmv] C:\Documents and Settings\donkey\My Documents\?racle\ntvdm.exe
O4 - Global Startup: Acrobat Assistant.lnk = G:\Programs\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = G:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = G:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless Sync Client.lnk = C:\Program Files\Wireless Sync\Client\Monitor.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - G:\Programs\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ConferenceRoom Java Client - http://hotwired3.tec...000/java/cr.cab
O16 - DPF: Video Poker - http://download.game...ts/y/vpt0_x.cab
O16 - DPF: Yahoo! Bingo - http://download.game...nts/y/xt0_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.game...nts/y/jt0_x.cab
O16 - DPF: Yahoo! Checkers - http://download.game...nts/y/kt3_x.cab
O16 - DPF: Yahoo! Chinese Checkers - http://download.game...ts/y/cct0_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.game...ts/y/dot8_x.cab
O16 - DPF: Yahoo! Gin - http://download.game...nts/y/nt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfi...oad/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab
O16 - DPF: {59D04288-805E-4D43-BE09-83B1083E9E1E} (IUpdateAutoLaunch Control) - http://idenphones.mo...eAutoLaunch.ocx
O16 - DPF: {59F156FC-9BC4-11D5-B0A5-0060085A719D} (Opalplayerx5 Control) - http://opal.pascocou...palplayerx5.cab
O16 - DPF: {5A66E13A-311D-488B-828D-DDDF52EFB636} (strprint.trprints) - https://partnering.o...scriptPrint.CAB
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://pubgis.co.pin....3/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123246965718
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1133485787484
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://mfr.mlxchange...ClientUtils.cab
O16 - DPF: {8AA1AE9E-9FB0-41B3-8911-89A1068A7FD1} (Installer Class) - https://www25.wirele...SyncInstall.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installen...gine/isetup.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} (LinkSys Content Update) - http://www.linksysfi...ll/gtdownls.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {CF392BE0-B84F-46E9-BDA9-845119819119} (IPAQSelfHelp Class) - http://isupport4.hp....SPEIPAQTool.CAB
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
  • 0

#6
Crustyoldbloke
Posted 26 July 2006 - 10:04 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again

Well that certainly cleared a lot of it up.

You have a strange entry in your HJT log:

O4 - HKCU\..\Run: [Wbgpmv] C:\Documents and Settings\donkey\My Documents\?racle\ntvdm.exe

The folder containing the file is not right and it has all the hallmarks of Purity Scan, so we can try uninstalling it firstly and if it remains, we can get it checked out.

Look in your Control Panel’s Add/Remove Programs for PuritySCAN By OIN, OuterInfo, OIN or similar , click on it and click remove.

Reboot and delete this folder if found: C:\Program Files\PurityScan\

If it is not listed, download and run this uninstaller: outerinfo.com/OiUninstaller.exe

Tutorial for the uninstaller if needed

Rescan with HijackThis. Close all programmes leaving only HijackThis running. Place a checkmark or tick against the following:

O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...ip/RdxIE601.cab

Click on Fix Checked when finished and exit HijackThis.

There are two files in your log of which I am unsure. For that reason, I need you to submit them to Jotti's for analysis.

1. Click HERE to get to Jotti's site.

2. At the top of the Jotti window, use the Browse button to locate the following file on your system:

C:\WINDOWS\system32\ammpp.dll
C:\WINDOWS\system32\atomid.exe


3. Once you have located the files, click SUBMIT and the content of the file will be uploaded by the site and analysed, one at a time.

4. Please provide me with the results of the analysis.

Please install Killbox by Option^Explicit.
  • Please double-click Killbox.exe to run it.
  • Select Delete on Reboot
  • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\WINDOWS\pgnmi.dll
C:\WINDOWS\SYSTEM32\wnsintsv.exe
C:\626_101newer.exe
C:\visfx500new.exe
C:\WINDOWS\SYSTEM32\uninstIcn.exe
C:\WINDOWS\media_motor_bundle.exe
C:\WINDOWS\system32bez6n4r21.exe
C:\WINDOWS\system32ghynf.exe
C:\WINDOWS\SYSTEM32\ghynf.exe
C:\WINDOWS\SYSTEM32\bez6n4r21.exe
C:\fym9bvo.exe
C:\Program Files\??crosoft.NET
C:\Program Files\Common Files\{A8AAE904-0A60-1033-0226-030204250001}
C:\WINDOWS\SYSTEM32\cvn0.exe
C:\WINDOWS\system32\icon_mediamotor.exe
C:\WINDOWS\system32\ts_mediamotor.exe
C:\Program Files\Common Files\{A8AAE904-0A60-1033-0226-030204250001}\Update.exe
C:\Documents and Settings\All Users\Start Menu\Programs\Startup\jsshx.exe
C:\Program Files\BullsEye Network\bin\bargains.exe
C:\WINDOWS\cfgmgr52.dll
C:\windows\system32\elitepbe32.exe
C:\WINDOWS\cfg32.exe
c:\dfndref_7.exe
c:\windows\system32\pqicfcu.exe
C:\WINDOWS\System32\exp.exe
C:\Program Files\ipwins\ipwins.exe
C:\WINDOWS\system32\wfxqhv.exe
c:\kybrdef_7.exe
C:\WINDOWS\system32\qlhgrs.exe
C:\Documents and Settings\donkey\Application Data\urpo.exe
c:\nwnmef_7.exe
C:\WINDOWS\system32\qlhgrs.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
C:\Program Files\SurfSideKick 3\Ssk.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\WINDOWS\wupdt.exe
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Please now reboot into safe mode. Here's how:

Restart your computer and as soon as it starts booting up again continuously tap the F8 key. A menu should appear where you will be given the option to enter Safe Mode.

Please set your system to show all files; please see here if you're unsure how to do this.

Please delete these folders (if present) using Windows Explorer:

C:\Program Files\System Icons
C:\Program Files\System Files
C:\Program Files\InetGet2
C:\Program Files\Enigma Software Group
C:\Documents and Settings\donkey\Application Data\a?sembly - the ? will be another character
C:\Program Files\Common Files\ofuf
C:\Program Files\BullsEye Network
C:\Program Files\ipwins
C:\Program Files\SurfSideKick 3
C:\PROGRA~1\Toolbar
C:\PROGRA~1\COMMON~1\WinTools

Close Windows Explorer and Reboot normally

Do you know what these are:

C:\WINDOWS\tasks\{1EAD00A2-558C-481A-BCEA-DED0181E0404}_BUTCH_donkey.job
C:\WINDOWS\tasks\{E643B8F5-965C-4030-B6C9-3F0AB4EA1DED}_BUTCH_donkey.job
C:\WINDOWS\tasks\{EAE20476-9F54-409C-A3DE-81D354C39FA6}_BUTCH_donkey.job

Post back a fresh HijackThis log (from normal mode) and I will take another look.

How's the PC running now?
  • 0

#7
jmcconkey
Posted 26 July 2006 - 11:02 AM

jmcconkey

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
Okay...things seem to be working great now. NO more popups.. However, I notice that it seems to take forever the desktop to load after logging in. It never did that before, so I am not sure if there is still something lingering out there or not. I did go and upload those two files ammpp.dll and atomid.exe and they both came back OK with no problems found.

Here is the most uptodate HTJ log:

Logfile of HijackThis v1.99.1
Scan saved at 1:01:22 PM, on 7/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
G:\Programs\Adobe\Acrobat 6.0\Distillr\acrotray.exe
G:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Wireless Sync\Client\Monitor.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\Program Files\Wireless Sync\Client\Monitor.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\system32\wscntfy.exe
C:\WINDOWS\system32\wuauclt.exe
G:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Documents and Settings\donkey\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [MSConfig] C:\Documents and Settings\donkey\Desktop\msconfig.exe /auto
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - Global Startup: Acrobat Assistant.lnk = G:\Programs\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = G:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = G:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless Sync Client.lnk = C:\Program Files\Wireless Sync\Client\Monitor.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - G:\Programs\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ConferenceRoom Java Client - http://hotwired3.tec...000/java/cr.cab
O16 - DPF: Video Poker - http://download.game...ts/y/vpt0_x.cab
O16 - DPF: Yahoo! Bingo - http://download.game...nts/y/xt0_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.game...nts/y/jt0_x.cab
O16 - DPF: Yahoo! Checkers - http://download.game...nts/y/kt3_x.cab
O16 - DPF: Yahoo! Chinese Checkers - http://download.game...ts/y/cct0_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.game...ts/y/dot8_x.cab
O16 - DPF: Yahoo! Gin - http://download.game...nts/y/nt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfi...oad/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {59D04288-805E-4D43-BE09-83B1083E9E1E} (IUpdateAutoLaunch Control) - http://idenphones.mo...eAutoLaunch.ocx
O16 - DPF: {59F156FC-9BC4-11D5-B0A5-0060085A719D} (Opalplayerx5 Control) - http://opal.pascocou...palplayerx5.cab
O16 - DPF: {5A66E13A-311D-488B-828D-DDDF52EFB636} (strprint.trprints) - https://partnering.o...scriptPrint.CAB
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://pubgis.co.pin....3/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123246965718
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1133485787484
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://mfr.mlxchange...ClientUtils.cab
O16 - DPF: {8AA1AE9E-9FB0-41B3-8911-89A1068A7FD1} (Installer Class) - https://www25.wirele...SyncInstall.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installen...gine/isetup.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} - http://www.linksysfi...ll/gtdownls.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {CF392BE0-B84F-46E9-BDA9-845119819119} (IPAQSelfHelp Class) - http://isupport4.hp....SPEIPAQTool.CAB
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe



Thanks!
  • 0

#8
Crustyoldbloke
Posted 26 July 2006 - 11:27 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again

Do you know what those tasks were?

I am not seeing all of your startups.

Go to START > RUN > type in msconfig > hit ENTER > STARTUP > check ENABLE ALL > APPLY > OK > REBOOT.

Post back a fresh HijackThis log (from normal mode) and I will take another look
  • 0

#9
jmcconkey
Posted 26 July 2006 - 12:43 PM

jmcconkey

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
Thanks again... as far as the task go, Im not sure, there were some backup task listed, I deleted all the scheduled tasks. I enabled all of the Start Up items in MSCONFIG and ran new HJT, and the log is below:

Logfile of HijackThis v1.99.1
Scan saved at 2:43:58 PM, on 7/26/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\WINDOWS\System32\MsPMSPSv.exe
C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
C:\PROGRA~1\HEWLET~1\HPSHAR~1\hpgs2wnf.exe
C:\Program Files\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\Program Files\MSN Messenger\msnmsgr.exe
G:\Programs\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
C:\Program Files\eFax Messenger 4.0\J2GTray.exe
G:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\system32\wscntfy.exe
C:\Program Files\Wireless Sync\Client\Monitor.exe
C:\Program Files\Microsoft ActiveSync\WCESMgr.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Wireless Sync\Client\Monitor.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
G:\Program Files\HP\Digital Imaging\bin\hpqgalry.exe
C:\Documents and Settings\donkey\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [Share-to-Web Namespace Daemon] C:\Program Files\Hewlett-Packard\HP Share-to-Web\hpgs2wnd.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [MSConfig] C:\Documents and Settings\donkey\Desktop\msconfig.exe /auto
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [WatchDog] C:\Program Files\mobile PhoneTools\WatchDog.exe
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [qclxrq] C:\WINDOWS\system32\qlhgrs.exe reg_run
O4 - HKLM\..\Run: [newname] c:\\nwnmef_7.exe
O4 - HKLM\..\Run: [MoneyStartUp10.0] "G:\Programs\Microsoft Money\System\Activation.exe"
O4 - HKLM\..\Run: [keyboard] c:\\kybrdef_7.exe
O4 - HKLM\..\Run: [k6mmN5IOU] "C:\WINDOWS\system32\wfxqhv.exe"
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [doucyc] c:\windows\system32\pqicfcu.exe
O4 - HKLM\..\Run: [defender] c:\\dfndref_7.exe
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitepbe32.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [0Frk3mP] mgmazel.exe
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [uoltray] C:\Program Files\NetZero\exec.exe regrun
O4 - HKCU\..\Run: [Ncao] C:\Documents and Settings\donkey\Application Data\urpo.exe
O4 - HKCU\..\Run: [myrys] C:\WINDOWS\system32\qlhgrs.exe reg_run
O4 - HKCU\..\Run: [msnmsgr] "C:\Program Files\MSN Messenger\msnmsgr.exe" /background
O4 - HKCU\..\Run: [acc] C:\PROGRA~1\acc\acc.exe
O4 - Startup: Registration-InstantCopy.lnk = C:\Program Files\Pinnacle\Shared Files\InstantCDDVD\Pixie\RegTool.exe
O4 - Global Startup: Acrobat Assistant.lnk = G:\Programs\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: eFax Tray Menu 4.0.lnk = C:\Program Files\eFax Messenger 4.0\J2GTray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = G:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: HP Image Zone Fast Start.lnk = G:\Program Files\HP\Digital Imaging\bin\hpqthb08.exe
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: QuickBooks Update Agent.lnk = C:\Program Files\Common Files\Intuit\QuickBooks\QBUpdate\qbupdate.exe
O4 - Global Startup: Wireless Sync Client.lnk = C:\Program Files\Wireless Sync\Client\Monitor.exe
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - G:\Programs\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: ConferenceRoom Java Client - http://hotwired3.tec...000/java/cr.cab
O16 - DPF: Video Poker - http://download.game...ts/y/vpt0_x.cab
O16 - DPF: Yahoo! Bingo - http://download.game...nts/y/xt0_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.game...nts/y/jt0_x.cab
O16 - DPF: Yahoo! Checkers - http://download.game...nts/y/kt3_x.cab
O16 - DPF: Yahoo! Chinese Checkers - http://download.game...ts/y/cct0_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.game...ts/y/dot8_x.cab
O16 - DPF: Yahoo! Gin - http://download.game...nts/y/nt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfi...oad/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {59D04288-805E-4D43-BE09-83B1083E9E1E} (IUpdateAutoLaunch Control) - http://idenphones.mo...eAutoLaunch.ocx
O16 - DPF: {59F156FC-9BC4-11D5-B0A5-0060085A719D} (Opalplayerx5 Control) - http://opal.pascocou...palplayerx5.cab
O16 - DPF: {5A66E13A-311D-488B-828D-DDDF52EFB636} (strprint.trprints) - https://partnering.o...scriptPrint.CAB
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://pubgis.co.pin....3/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123246965718
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1133485787484
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://mfr.mlxchange...ClientUtils.cab
O16 - DPF: {8AA1AE9E-9FB0-41B3-8911-89A1068A7FD1} (Installer Class) - https://www25.wirele...SyncInstall.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installen...gine/isetup.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} - http://www.linksysfi...ll/gtdownls.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {CF392BE0-B84F-46E9-BDA9-845119819119} (IPAQSelfHelp Class) - http://isupport4.hp....SPEIPAQTool.CAB
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
  • 0

#10
Crustyoldbloke
Posted 26 July 2006 - 01:21 PM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again

That’s better I can see what is on your PC rather than having to read registry settings.

Please disable Ewido Guard from running as it will hinder our attempts to change anything. Right click on the orange icon in the taskbar (near the clock) and uncheck Resident Shield. The icon will change to a grey colour.

Please re-open HiJackThis and scan. Check the boxes next to all the entries listed below.

O4 - HKLM\..\Run: [WinTools] C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
O4 - HKLM\..\Run: [Win Server Updt] C:\WINDOWS\wupdt.exe
O4 - HKLM\..\Run: [updmgr] C:\Program Files\Common files\updmgr\updmgr.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\Run: [SurfSideKick 3] C:\Program Files\SurfSideKick 3\Ssk.exe
O4 - HKLM\..\Run: [SpyHunter] C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
O4 - HKLM\..\Run: [qclxrq] C:\WINDOWS\system32\qlhgrs.exe reg_run
O4 - HKLM\..\Run: [newname] c:\\nwnmef_7.exe
O4 - HKLM\..\Run: [keyboard] c:\\kybrdef_7.exe
O4 - HKLM\..\Run: [k6mmN5IOU] "C:\WINDOWS\system32\wfxqhv.exe"
O4 - HKLM\..\Run: [IpWins] C:\Program Files\ipwins\ipwins.exe
O4 - HKLM\..\Run: [exp.exe] C:\WINDOWS\System32\exp.exe
O4 - HKLM\..\Run: [doucyc] c:\windows\system32\pqicfcu.exe
O4 - HKLM\..\Run: [defender] c:\\dfndref_7.exe
O4 - HKLM\..\Run: [Configuration Manager] C:\WINDOWS\cfg32.exe
O4 - HKLM\..\Run: [checkrun] C:\windows\system32\elitepbe32.exe
O4 - HKLM\..\Run: [cfgmgr52] RunDLL32.EXE C:\WINDOWS\cfgmgr52.dll,DllRun
O4 - HKLM\..\Run: [BullsEye Network] C:\Program Files\BullsEye Network\bin\bargains.exe
O4 - HKLM\..\Run: [AltnetPointsManager] c:\program files\altnet\points manager\points manager.exe -s
O4 - HKLM\..\Run: [ACTX1] C:\WINDOWS\v1201.exe
O4 - HKLM\..\Run: [0Frk3mP] mgmazel.exe
O4 - HKCU\..\Run: [Ncao] C:\Documents and Settings\donkey\Application Data\urpo.exe
O4 - HKCU\..\Run: [myrys] C:\WINDOWS\system32\qlhgrs.exe reg_run
O6 - HKCU\Software\Policies\Microsoft\Internet Explorer\Restrictions present

Now close all windows other than HiJackThis, then click Fix Checked. Please now reboot into safe mode. Here's how:

Restart your computer and as soon as it starts booting up again continuously tap the F8 key. A menu should appear where you will be given the option to enter Safe Mode.

Please set your system to show all files; please see here if you're unsure how to do this.

Please delete these folders (if present) using Windows Explorer:

C:\PROGRA~1\COMMON~1\WinTools\
C:\Program Files\Common files\updmgr\
C:\PROGRA~1\Toolbar\
C:\Program Files\SurfSideKick 3\
C:\Program Files\Enigma Software Group\
C:\Program Files\ipwins\
C:\Program Files\BullsEye Network\
c:\program files\altnet\

Close Windows Explorer and Reboot normally

Please install Killbox by Option^Explicit.
  • Please double-click Killbox.exe to run it.
  • Select Delete on Reboot
  • then Click on the All Files button.
  • Please copy the file paths below to the clipboard by highlighting ALL of them and pressing CTRL + C (or, after highlighting, right-click and choose copy):
C:\PROGRA~1\COMMON~1\WinTools\WToolsA.exe
C:\WINDOWS\wupdt.exe
C:\Program Files\Common files\updmgr\updmgr.exe
C:\PROGRA~1\Toolbar\TBPS.exe
C:\Program Files\SurfSideKick 3\Ssk.exe
C:\Program Files\Enigma Software Group\SpyHunter\SpyHunter.exe
C:\WINDOWS\system32\qlhgrs.exe
c:\nwnmef_7.exe
c:\kybrdef_7.exe
C:\WINDOWS\system32\wfxqhv.exe
C:\Program Files\ipwins\ipwins.exe
C:\WINDOWS\System32\exp.exe
c:\windows\system32\pqicfcu.exe
c:\dfndref_7.exe
C:\WINDOWS\cfg32.exe
C:\windows\system32\elitepbe32.exe
C:\WINDOWS\cfgmgr52.dll
C:\Program Files\BullsEye Network\bin\bargains.exe
c:\program files\altnet\points manager\points manager.exe
C:\WINDOWS\v1201.exe
C:\windows\system32\mgmazel.exe
C:\Documents and Settings\donkey\Application Data\urpo.exe
  • Return to Killbox, go to the File menu, and choose Paste from Clipboard.
  • Click the red-and-white Delete File button. Click Yes at the Delete on Reboot prompt. Click OK at any PendingFileRenameOperations prompt (and please let me know if you receive this message!).
If your computer does not restart automatically, please restart it manually.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run Killbox, click here to download and run missingfilesetup.exe. Then try Killbox again.

Post back a fresh HijackThis log (from normal mode) and I will take another look. How’s the PC running now?
  • 0

Advertisements

#11
Crustyoldbloke
Posted 05 August 2006 - 06:43 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Due to lack of feedback, this topic has been closed.

If you need this topic reopened, please contact a staff member. This applies only to the original topic starter. Everyone else please begin a New Topic.
  • 0

#12
Crustyoldbloke
Posted 18 August 2006 - 07:10 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Re-opened at the request of the topic starter.
  • 0

#13
jmcconkey
Posted 18 August 2006 - 07:20 AM

jmcconkey

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
Thanks for your help. The Hi-Jack This is listed below. The computer seems to be running fine, other than two issues. One, it still takes forever to start up. and 2nd, IE will not load some pages. the page will be blank. If i use Firefox, it will work just fine, which makes me think that may be an IE issue? Also, my norton antivirus keeps finding a virus in the restore files. Is there a way to clear out the old restore files? Thanks for your help.

------


Logfile of HijackThis v1.99.1
Scan saved at 8:39:26 AM, on 8/18/2006
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\csrss.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Windows Defender\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Intel\ASF Agent\ASFAgent.exe
C:\WINDOWS\System32\CTsvcCDA.exe
C:\Program Files\Symantec AntiVirus\DefWatch.exe
C:\Program Files\ewido anti-spyware 4.0\guard.exe
C:\Program Files\Dell\OpenManage\Client\Iap.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Symantec AntiVirus\Rtvscan.exe
C:\Program Files\Microsoft ActiveSync\wcescomm.exe
C:\WINDOWS\system32\wdfmgr.exe
C:\PROGRA~1\MICROS~3\rapimgr.exe
G:\Programs\Adobe\Acrobat 6.0\Distillr\acrotray.exe
C:\WINDOWS\System32\MsPMSPSv.exe
G:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
C:\Program Files\Wireless Sync\Client\Monitor.exe
C:\WINDOWS\System32\HPZipm12.exe
C:\Program Files\Wireless Sync\Client\Monitor.exe
C:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE
C:\WINDOWS\System32\wbem\wmiprvse.exe
C:\Documents and Settings\donkey\Desktop\hijackthis\HijackThis.exe

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://google.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Microsoft Internet Explorer provided by Verizon Online
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PinnacleDriverCheck] C:\WINDOWS\System32\PSDrvCheck.exe
O4 - HKLM\..\Run: [DeadAIM] rundll32.exe "C:\Program Files\AIM95\\DeadAIM.ocm",ExportedCheckODLs
O4 - HKLM\..\Run: [MSConfig] C:\Documents and Settings\donkey\Desktop\msconfig.exe /auto
O4 - HKLM\..\Run: [VOBRegCheck] C:\WINDOWS\System32\VOBREGCheck.exe -CheckReg
O4 - HKLM\..\Run: [UpdReg] C:\WINDOWS\UpdReg.EXE
O4 - HKCU\..\Run: [H/PC Connection Agent] "C:\Program Files\Microsoft ActiveSync\wcescomm.exe"
O4 - HKCU\..\Run: [Yahoo! Pager] "C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe" -quiet
O4 - Global Startup: Acrobat Assistant.lnk = G:\Programs\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = G:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: Microsoft Office.lnk = G:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Wireless Sync Client.lnk = C:\Program Files\Wireless Sync\Client\Monitor.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: Create Mobile Favorite - {2EAF5BB1-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: (no name) - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra 'Tools' menuitem: Create Mobile Favorite... - {2EAF5BB2-070F-11D3-9307-00C04FAE2D4F} - C:\PROGRA~1\MICROS~3\INetRepl.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM95\aim.exe
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - G:\Programs\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - C:\Program Files\Yahoo!\Messenger\YahooMessenger.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O15 - Trusted Zone: mfr.MLXchange.com
O15 - Trusted Zone: *.samarkandsworld.com
O15 - Trusted Zone: *.secureserver.net
O16 - DPF: ConferenceRoom Java Client - http://hotwired3.tec...000/java/cr.cab
O16 - DPF: Video Poker - http://download.game...ts/y/vpt0_x.cab
O16 - DPF: Yahoo! Bingo - http://download.game...nts/y/xt0_x.cab
O16 - DPF: Yahoo! Blackjack - http://download.game...nts/y/jt0_x.cab
O16 - DPF: Yahoo! Checkers - http://download.game...nts/y/kt3_x.cab
O16 - DPF: Yahoo! Chinese Checkers - http://download.game...ts/y/cct0_x.cab
O16 - DPF: Yahoo! Dominoes - http://download.game...ts/y/dot8_x.cab
O16 - DPF: Yahoo! Gin - http://download.game...nts/y/nt1_x.cab
O16 - DPF: Yahoo! Pool 2 - http://download.game...ts/y/pote_x.cab
O16 - DPF: {01113300-3E00-11D2-8470-0060089874ED} (Support.com Configuration Class) - https://activatemyfi...oad/tgctlcm.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....k/?linkid=39204
O16 - DPF: {284DAE3C-A691-11D3-AD58-00E0B8107A24} (SISCtrl Class) - http://mfr.mlxchange...ontrol/SISC.cab
O16 - DPF: {4989312D-58CF-11D5-A7D7-00E02911103E} (Interealty MultiSelect) - http://mfr.mlxchange...ectComboBox.cab
O16 - DPF: {59D04288-805E-4D43-BE09-83B1083E9E1E} (IUpdateAutoLaunch Control) - http://idenphones.mo...eAutoLaunch.ocx
O16 - DPF: {59F156FC-9BC4-11D5-B0A5-0060085A719D} (Opalplayerx5 Control) - http://opal.pascocou...palplayerx5.cab
O16 - DPF: {5A66E13A-311D-488B-828D-DDDF52EFB636} (strprint.trprints) - https://partnering.o...scriptPrint.CAB
O16 - DPF: {62789780-B744-11D0-986B-00609731A21D} (Autodesk MapGuide ActiveX Control) - http://pubgis.co.pin....3/mgaxctrl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1123246965718
O16 - DPF: {6E32070A-766D-4EE6-879C-DC1FA91D2FC3} (MUWebControl Class) - http://update.micros...b?1133485787484
O16 - DPF: {6FD482A3-7B57-438B-B040-52CAA30147EE} (MLXchange Client Utils) - http://mfr.mlxchange...ClientUtils.cab
O16 - DPF: {83AB6E4D-CDD7-11D3-B5E7-00104B9AFF6E} (GeacRevw Control) - http://mfr.mlxchange...ol/IRCSharc.cab
O16 - DPF: {8AA1AE9E-9FB0-41B3-8911-89A1068A7FD1} (Installer Class) - https://www25.wirele...SyncInstall.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} - http://www.installen...gine/isetup.cab
O16 - DPF: {A93D84FD-641F-43AE-B963-E6FA84BE7FE7} - http://www.linksysfi...ll/gtdownls.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {B942A249-D1E7-4C11-98AE-FCB76B08747F} (RealArcadeRdxIE Class) - http://games-dl.real...ArcadeRdxIE.cab
O16 - DPF: {CF392BE0-B84F-46E9-BDA9-845119819119} (IPAQSelfHelp Class) - http://isupport4.hp....SPEIPAQTool.CAB
O16 - DPF: {F58E1CEF-A068-4C15-BA5E-587CAF3EE8C6} (MSN Chat Control 4.5) - http://fdl.msn.com/p...t/msnchat45.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{AB679F8A-AA4B-49C3-BAC6-FA8CF010415D}: NameServer = 192.168.0.1
O20 - Winlogon Notify: vistax - C:\WINDOWS\SYSTEM32\vistax.dll
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: ASF Agent (ASFAgent) - Intel Corporation - C:\Program Files\Intel\ASF Agent\ASFAgent.exe
O23 - Service: pcAnywhere Host Service (awhost32) - Symantec Corporation - C:\Program Files\Symantec\pcAnywhere\awhost32.exe
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation (ccPwdSvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Settings Manager (ccSetMgr) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\ccSetMgr.exe
O23 - Service: Creative Service for CDROM Access - Creative Technology Ltd - C:\WINDOWS\System32\CTsvcCDA.exe
O23 - Service: Symantec AntiVirus Definition Watcher (DefWatch) - Symantec Corporation - C:\Program Files\Symantec AntiVirus\DefWatch.exe
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\ewido anti-spyware 4.0\guard.exe
O23 - Service: Iap - Dell Computer Corporation - C:\Program Files\Dell\OpenManage\Client\Iap.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: MSCSPTISRV - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\MSCSPTISRV.exe
O23 - Service: Intel® NMS (NMSSvc) - Intel Corporation - C:\WINDOWS\System32\NMSSvc.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\PACSPTISVR.exe
O23 - Service: Pml Driver HPZ12 - HP - C:\WINDOWS\System32\HPZipm12.exe
O23 - Service: LiveShare P2P Server (RoxLiveShare) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxLiveShare.exe
O23 - Service: RoxMediaDB - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxMediaDB.exe
O23 - Service: RoxUpnpRenderer (RoxUPnPRenderer) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCom\RoxUpnpRenderer.exe
O23 - Service: RoxUpnpServer - Sonic Solutions - C:\Program Files\Roxio\Easy Media Creator 8\Digital Home\RoxUpnpServer.exe
O23 - Service: Roxio Hard Drive Watcher (RoxWatch) - Sonic Solutions - C:\Program Files\Common Files\Roxio Shared\SharedCOM8\RoxWatch.exe
O23 - Service: SAVRoam (SavRoam) - symantec - C:\Program Files\Symantec AntiVirus\SavRoam.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SPTISRV.exe
O23 - Service: SonicStage SCSI Service (SSScsiSV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\SSScsiSV.exe
O23 - Service: Symantec AntiVirus - Symantec Corporation - C:\Program Files\Symantec AntiVirus\Rtvscan.exe
  • 0

#14
Crustyoldbloke
Posted 18 August 2006 - 07:42 AM

Crustyoldbloke

    Old Malware Surgeon with a shaky scalpel

  • Retired Staff
  • 15,131 posts
Hello again

Before I tackle the slowness problem and the MSIE problem, let's just get you clean; you have the Haxdoor infection, which is a bad one.

Download haxfix.exe and save it to your desktop.
  • Double click on haxfix.exe to install haxfix. (standard installation path is c:\program Files\haxfix)
  • Checkmark "Create a desktop icon"
  • Click "Next"
  • When the installation is completed, make sure that the checkmark "Launch HaxFix" is placed
  • Click "Finish"
A red "dos window" (dos box) will open with options:
1. Make logfile
2. Run auto fix
3. Run manual fix
E. Exit Haxfix
  • Select option 1. Make logfile by typing 1 and then pressing Enter
  • Haxfix will start scanning the computer. When it is finished a logfile will open: haxlog.txt > (c:\haxfix.txt)
  • Copy the contents of that logfile and paste it into this thread.
Also, please see the 015 entries in your HJT log. Do you recognise these?

Edited by Crustyoldbloke, 18 August 2006 - 07:44 AM.

  • 0

#15
jmcconkey
Posted 18 August 2006 - 07:56 AM

jmcconkey

    Member

  • Topic Starter
  • Member
  • PipPip
  • 61 posts
Here is teh HAXFIX log below. As far as the 015 entries, yes I know what two of them are. I can remove them from IE trusted sites. I see all three there. I will remove the one I know nothing about. thanks,

-----------------

HAXFIX logfile - by Marckie
______________
version 4.10
Fri 08/18/2006 9:52:18.98

checking for haxdoor
--------------------
checking for a3d files....
a3d files found
ps.a3d

checking for matching notify keys....
matching notify keys found
vist

checking for matching services....
matching services found
vistax
vistaj

checking for matching safeboot services....
matching safeboot services found
vistax.sys
vistaj.sys


Checking for goldun
-------------------
checking for notify keys....
no notify keys found

checking for services....
no services found

checking for other goldunfiles....


Finished
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP