Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

Severe Infection [RESOLVED]

Started by SpaceCowboy706 , Aug 16 2006 09:57 AM

  • This topic is locked This topic is locked

#1
SpaceCowboy706
Posted 16 August 2006 - 09:57 AM

SpaceCowboy706

    Trusted Tech

  • Member
  • PipPipPipPip
  • 1,175 posts
This is a buddies PC that has dialup Internet with a severe Malware/Virus problem that I am trying to help him with. Any Help would be appreciated. The short version of the problems is as follows:

The PC will take about 20 minutes to boot up to the Welcome Screen. Once There it will then continue on to the desktop Pretty quick. About a minute or two after reaching the desktop Pop-Ups start appearing two or three at a time very rapidly. After about five to ten minutes and a couple thousand popups later, with more pop-ups coming in, the PC will Restart, by Itself.

Any Malware Staff please feel free to attack this one if you want. If the OS is beyond repair or something is messed up in the process, there is no problem with reformatting and reloading windows.

PC is a HP Pavillion 310n with Windows XP Home

I follwed the directions for the prerequisits of posting a HJT log... (IE. CWCleaner, Adware SE, CWShredder, Spybot S&D, Ewido) but i must add that none of these can be performed in normal mode due to the pop-ups. All the scnas and fixes directed to be done were completed in Safe Mode With Networking.

Here are the Ewdio Log and the HJT Log:

EWIDO

---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 10:37:48 AM 8/16/2006

+ Scan result:



C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP225\A0030617.exe -> Adware.BookedSpace : No action taken.
C:\WINDOWS\cfg32.exe -> Adware.BookedSpace : No action taken.
C:\WINDOWS\cfg32a.exe -> Adware.BookedSpace : No action taken.
C:\stub_sca3.exe -> Adware.BookedSpace : No action taken.
C:\WINDOWS\IA\asappsrv.dll -> Adware.CommAd : No action taken.
C:\WINDOWS\IA\command.exe -> Adware.CommAd : No action taken.
C:\nwnmdd_6.exe -> Adware.DollarRevenue : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP225\A0024577.exe -> Adware.Enbrow : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP228\A0031641.exe -> Adware.Enbrow : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0048267.exe -> Adware.Linkmaker : No action taken.
C:\WINDOWS\System32ftuninst.exe -> Adware.Linkmaker : No action taken.
C:\Installer3.exe -> Adware.Look2Me : No action taken.
C:\warebundle.exe -> Adware.Look2Me : No action taken.
C:\warebundlenewer.exe -> Adware.Look2Me : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0048119.exe -> Adware.MediaTickets : No action taken.
C:\WINDOWS\mirar.exe -> Adware.NetNucleus : No action taken.
C:\NNSCAA638.EXE -> Adware.NewDotNet : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP225\A0029595.dll -> Adware.NewDotNet : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0047079.exe -> Adware.NewDotNet : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0047080.exe -> Adware.NewDotNet : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0048120.dll -> Adware.NewDotNet : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0052727.exe -> Adware.NewDotNet : No action taken.
C:\WINDOWS\NDNuninstall7_22.exe -> Adware.NewDotNet : No action taken.
C:\Documents and Settings\Owner\Start Menu\Programs\WhenU -> Adware.SaveNow : No action taken.
C:\Documents and Settings\Owner\Start Menu\Programs\WhenU\Learn More About WhenU Save.url -> Adware.SaveNow : No action taken.
C:\Documents and Settings\Owner\Start Menu\Programs\WhenU\Learn More About WhenU SaveNow.url -> Adware.SaveNow : No action taken.
C:\Documents and Settings\Owner\Start Menu\Programs\WhenU\Uninstall.lnk -> Adware.SaveNow : No action taken.
C:\Documents and Settings\Owner\Start Menu\Programs\WhenU\WhenU Help Desk.lnk -> Adware.SaveNow : No action taken.
C:\Documents and Settings\Owner\Start Menu\Programs\WhenU\WhenU.com Website.url -> Adware.SaveNow : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP221\A0022352.exe -> Adware.SaveNow : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP242\A0038667.exe -> Adware.SaveNow : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP242\A0038668.exe -> Adware.SaveNow : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP242\A0038671.dll -> Adware.SaveNow : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0047646.dll -> Adware.SaveNow : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0047647.exe -> Adware.SaveNow : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0047648.exe -> Adware.SaveNow : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0047649.exe -> Adware.SaveNow : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0047650.exe -> Adware.SaveNow : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0048234.exe/SaveNow.exe -> Adware.SaveNow : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0048234.exe/Uninst.exe -> Adware.SaveNow : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0050592.exe -> Adware.SaveNow : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0047023.exe -> Adware.SearchAssistant : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0047024.exe -> Adware.SearchAssistant : No action taken.
C:\WINDOWS\SYSTEM32\bez6n4r21.exe -> Adware.SearchAssistant : No action taken.
C:\WINDOWS\System32bez6n4r21.exe -> Adware.SearchAssistant : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0048242.dll -> Adware.Spysheriff : No action taken.
C:\WINDOWS\SYSTEM32\gbe90qs.exe -> Adware.Suggestor : No action taken.
C:\WINDOWS\SYSTEM32\n9nyb.exe -> Adware.Suggestor : No action taken.
C:\WINDOWS\SYSTEM32\wfxqhv.exe -> Adware.Suggestor : No action taken.
C:\WINDOWS\SYSTEM32\zqskw.exe -> Adware.Suggestor : No action taken.
C:\WINDOWS\System32n9nyb.exe -> Adware.Suggestor : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\i4.tmp -> Adware.SurfSide : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0047615.exe -> Adware.SurfSide : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\GLB1.tmp/empty_00000001 -> Adware.Ucmore : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\GLB3.tmp/empty_00000001 -> Adware.Ucmore : No action taken.
C:\Documents and Settings\Owner\Start Menu\Programs\UCmore - The Search Accelerator -> Adware.Ucmore : No action taken.
C:\Documents and Settings\Owner\Start Menu\Programs\UCmore - The Search Accelerator\How To Uninstall.lnk -> Adware.Ucmore : No action taken.
C:\Documents and Settings\Owner\Start Menu\Programs\UCmore - The Search Accelerator\UCmore - The Search Accelerator.lnk -> Adware.Ucmore : No action taken.
C:\Documents and Settings\Owner\Start Menu\Programs\UCmore - The Search Accelerator\UCmore Tour.lnk -> Adware.Ucmore : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0052768.exe/IUCMORE.DLL -> Adware.Ucmore : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0052768.exe/UCMTSAIE.DLL -> Adware.Ucmore : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0052768.exe/empty_00000001 -> Adware.Ucmore : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0052769.dll -> Adware.Ucmore : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0052770.dll -> Adware.Ucmore : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP225\A0024579.dll -> Adware.WebHancer : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0047631.exe -> Adware.WebHancer : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0047632.dll -> Adware.WebHancer : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0047642.dll -> Adware.WebHancer : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0047643.exe -> Adware.WebHancer : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0048132.dll -> Adware.WebHancer : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0048133.exe -> Adware.WebHancer : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0052775.exe -> Adware.ZenoSearch : No action taken.
C:\WINDOWS\SYSTEM32\psdsregs.exe -> Adware.ZenoSearch : No action taken.
C:\WINDOWS\SYSTEM32\twintqez.exe -> Adware.ZenoSearch : No action taken.
C:\ZIGID003.exe -> Adware.ZenoSearch : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0052740.exe -> Downloader.Adload.bo : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0052748.exe -> Downloader.Adload.bo : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0052756.exe -> Downloader.Adload.bo : No action taken.
C:\WINDOWS\drsmartload45a.exe -> Downloader.Adload.bo : No action taken.
C:\WINDOWS\drsmartload46a.exe -> Downloader.Adload.bo : No action taken.
C:\WINDOWS\drsmartload849a.exe -> Downloader.Adload.bo : No action taken.
C:\nwnmad_5.exe -> Downloader.Adload.ca : No action taken.
C:\dfndrd_5.exe -> Downloader.Adload.cu : No action taken.
C:\kybrdd_5.exe -> Downloader.Adload.cu : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0052750.exe -> Downloader.Adload.cv : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0052734.exe -> Downloader.Adload.cw : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0052735.exe -> Downloader.Adload.cw : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0052738.exe -> Downloader.Adload.cw : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0052741.exe -> Downloader.Adload.cw : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0052742.exe -> Downloader.Adload.cw : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0052746.exe -> Downloader.Adload.cw : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0052749.exe -> Downloader.Adload.cw : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0052754.exe -> Downloader.Adload.cw : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP244\A0039664.exe -> Downloader.Adload.cy : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0052719.exe -> Downloader.Adload.cy : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0052757.exe -> Downloader.Adload.cy : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0049587.exe -> Downloader.Adload.de : No action taken.
C:\kybrdfh_10.exe -> Downloader.Adload.dv : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0052739.exe -> Downloader.Adload.ee : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0052747.exe -> Downloader.Adload.ee : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0052755.exe -> Downloader.Adload.ee : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0052758.exe -> Downloader.Adload.ef : No action taken.
C:\dist13.exe -> Downloader.Agent.aaf : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0048124.dll -> Downloader.Agent.agw : No action taken.
C:\fym9bvo.exe -> Downloader.Agent.ala : No action taken.
C:\WINDOWS\SYSTEM32\oins.exe -> Downloader.PurityScan.cp : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP225\A0028595.exe -> Downloader.Qoologic.at : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP225\A0029596.exe -> Downloader.Qoologic.at : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP225\A0030595.exe -> Downloader.Qoologic.at : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP227\A0030641.exe -> Downloader.Qoologic.at : No action taken.
C:\installerwnus.exe -> Downloader.Qoologic.at : No action taken.
C:\installerwnusnew.exe -> Downloader.Qoologic.at : No action taken.
C:\installerwnusnewer.exe -> Downloader.Qoologic.at : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0048125.exe -> Downloader.Qoologic.bj : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0048127.exe -> Downloader.Qoologic.bj : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0048128.dll -> Downloader.Qoologic.bj : No action taken.
[1148] C:\WINDOWS\System32\ueihtio.dll -> Downloader.Qoologic.bj : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP228\A0031660.exe -> Downloader.Small : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0052721.exe -> Downloader.Small : No action taken.
C:\Program Files\Common Files\mewolywuq.dll.exe -> Downloader.Small.ajc : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP225\A0023590.exe -> Downloader.Small.ajc : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\qvxt3.game -> Downloader.Small.arj : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0050646.exe -> Downloader.Small.arj : No action taken.
C:\MTE3NDI6ODoxNgnew.exe -> Downloader.Small.buy : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0052733.exe -> Downloader.Small.buy : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\170171.exe -> Downloader.Small.cip : No action taken.
C:\WINDOWS\SYSTEM32\spizohst.exe -> Downloader.Small.cip : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0052759.exe -> Downloader.Small.cpu : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\vx4.game -> Downloader.Small.ctk : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0052729.exe -> Downloader.Small.ctk : No action taken.
C:\Program Files\Common Files\mewolywuq.dll -> Downloader.Small.ctp : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\vx3.game -> Downloader.Small.cxx : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0050644.exe -> Downloader.Small.cxx : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\vxt3.game -> Downloader.Small.cya : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0052731.exe -> Downloader.Small.cya : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0052764.exe -> Downloader.Small.cya : No action taken.
C:\ac3_0003.exe -> Downloader.Small.cyh : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\vxt2.game -> Downloader.Small.dak : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0052732.exe -> Downloader.Small.dak : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0052714.exe -> Downloader.Tibs.eo : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0052715.exe -> Downloader.Tibs.eo : No action taken.
C:\WINDOWS\Downloaded Program Files\win32.exe -> Downloader.Tibs.es : No action taken.
C:\WINDOWS\SYSTEM32\kernels8.exe -> Downloader.Tibs.es : No action taken.
C:\stub_113_4_0_4_0newer.exe -> Downloader.TSUpdate.o : No action taken.
C:\nwnmac_6.exe -> Downloader.VB.ada : No action taken.
C:\defender23a.exe -> Downloader.VB.adw : No action taken.
C:\WINDOWS\win320874114289112006.exe -> Downloader.VB.aga : No action taken.
C:\kybrdaca_6.exe -> Downloader.VB.agi : No action taken.
C:\kybrddd_6.exe -> Downloader.VB.aid : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP225\A0024575.exe -> Downloader.VB.tw : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP225\A0024576.exe -> Downloader.VB.tw : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP228\A0031642.exe -> Downloader.VB.tw : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP242\A0038641.exe -> Downloader.VB.tw : No action taken.
C:\WINDOWS\xload.exe -> Downloader.VB.wz : No action taken.
C:\WINDOWS\visfx500.exe -> Dropper.Agent.aie : No action taken.
C:\visfx500.exe -> Dropper.Agent.aie : No action taken.
C:\visfx500new.exe -> Dropper.Agent.aie : No action taken.
C:\numbsoftnew.exe -> Dropper.Agent.hl : No action taken.
C:\webnexmk.exe -> Dropper.Agent.hl : No action taken.
C:\webnexmknew.exe -> Dropper.Agent.hl : No action taken.
C:\626_101new.exe -> Dropper.Agent.mu : No action taken.
C:\626_101newer.exe -> Dropper.Agent.mu : No action taken.
C:\526_620.exe -> Dropper.Mudrop.bq : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\vx1.game -> Dropper.Small.aoh : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP236\A0037657.exe -> Dropper.Small.aoh : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP242\A0038658.exe -> Dropper.Small.aoh : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP244\A0039659.exe -> Dropper.Small.aoh : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP246\A0040656.exe -> Dropper.Small.aoh : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP246\A0041657.exe -> Dropper.Small.aoh : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP247\A0042657.exe -> Dropper.Small.aoh : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0043657.exe -> Dropper.Small.aoh : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0044658.exe -> Dropper.Small.aoh : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0048588.exe -> Dropper.Small.aoh : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0052730.exe -> Dropper.Small.aoh : No action taken.
C:\SS1001newer.exe -> Dropper.Small.qn : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0048272.exe -> Hijacker.Small : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0048426.exe -> Hijacker.Small : No action taken.
C:\WINDOWS\v1201.exe -> Hijacker.Small : No action taken.
C:\Program Files\ComPlus Applications\mecevemul.html -> Hijacker.Small.jf : No action taken.
C:\Program Files\Detto\mecevemul.html -> Hijacker.Small.jf : No action taken.
C:\Program Files\Detto\pofoxop.html -> Hijacker.Small.jf : No action taken.
C:\Program Files\HP Instant Support\pofoxop.html -> Hijacker.Small.jf : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0049589.exe -> Hijacker.Small.jf : No action taken.
C:\WINDOWS\wallpap.exe -> Hijacker.Small.jf : No action taken.
C:\nwnmd_5.exe -> Hijacker.VB.fe : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0052736.exe -> Hijacker.VB.fg : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0052737.exe -> Hijacker.VB.fg : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0052744.exe -> Hijacker.VB.fg : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0052745.exe -> Hijacker.VB.fg : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0052752.exe -> Hijacker.VB.fg : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0052753.exe -> Hijacker.VB.fg : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP225\A0027611.exe -> Hijacker.VB.ij : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0043662.exe -> Hijacker.VB.ij : No action taken.
C:\WINDOWS\hdctsnm.exe -> Hijacker.VB.ij : No action taken.
C:\WINDOWS\Downloaded Program Files\pre.exe -> Hijacker.VB.lb : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0052774.exe -> Hijacker.VB.ly : No action taken.
C:\dfndrfh_10.exe -> Hijacker.VB.ly : No action taken.
C:\dfndrac_6.exe -> Hijacker.VB.nh : No action taken.
C:\dfndrad_5.exe -> Hijacker.VB.nh : No action taken.
C:\dfndrdd_6.exe -> Hijacker.VB.nh : No action taken.
C:\kybrdad_5.exe -> Hijacker.VB.nh : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0052717.exe -> Not-A-Virus.Hoax.Win32.Renos.dn : No action taken.
C:\WINDOWS\xpupdate.exe -> Not-A-Virus.Hoax.Win32.Renos.dn : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0052726.exe -> Not-A-Virus.Monitor.Win32.NetMon.a : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\vxt4.game -> Proxy.Agent.ji : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP236\A0037659.exe -> Proxy.Agent.ji : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP242\A0038661.exe -> Proxy.Agent.ji : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP244\A0039658.exe -> Proxy.Agent.ji : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP246\A0040659.exe -> Proxy.Agent.ji : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP246\A0041658.exe -> Proxy.Agent.ji : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP247\A0042659.exe -> Proxy.Agent.ji : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0043658.exe -> Proxy.Agent.ji : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0048590.exe -> Proxy.Agent.ji : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0050642.exe -> Proxy.Agent.ji : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0051658.dll -> Proxy.Agent.ji : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0051667.dll -> Proxy.Agent.ji : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0051676.dll -> Proxy.Agent.ji : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0052676.dll -> Proxy.Agent.ji : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0052728.exe -> Proxy.Agent.ji : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0052766.dll -> Proxy.Agent.ji : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0052767.dll -> Proxy.Lager.aq : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\vx2.game -> Proxy.Small.bo : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0052760.exe -> Proxy.Small.bo : No action taken.
C:\WINDOWS\SYSTEM32\0mcamcap.exe -> Proxy.Small.bo : No action taken.
[480] C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll -> Proxy.Xorpix.z : No action taken.
:mozilla.12:C:\Documents and Settings\Administrator\Application Data\Mozilla\Firefox\Profiles\a8jz4rq7.default\cookies.txt -> TrackingCookie.2o7 : No action taken.
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> TrackingCookie.Falkag : No action taken.
C:\Documents and Settings\Owner\Cookies\owner@fastclick[2].txt -> TrackingCookie.Fastclick : No action taken.
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> TrackingCookie.Fastclick : No action taken.
:mozilla.7:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\4o1cbmpd.default\cookies.txt -> TrackingCookie.Findwhat : No action taken.
:mozilla.11:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\4o1cbmpd.default\cookies.txt -> TrackingCookie.Goclick : No action taken.
:mozilla.12:C:\Documents and Settings\LocalService\Application Data\Mozilla\Firefox\Profiles\4o1cbmpd.default\cookies.txt -> TrackingCookie.Goclick : No action taken.
C:\Documents and Settings\Owner\Cookies\[email protected][2].txt -> TrackingCookie.Goclick : No action taken.
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Searchingbooth : No action taken.
C:\Documents and Settings\Owner\Cookies\[email protected][1].txt -> TrackingCookie.Yieldmanager : No action taken.
C:\Documents and Settings\Owner\Cookies\owner@zedo[1].txt -> TrackingCookie.Zedo : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP225\A0028612.exe -> Trojan.Qoologic : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP225\A0029612.exe -> Trojan.Qoologic : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP225\A0030612.exe -> Trojan.Qoologic : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0048131.exe -> Trojan.Qoologic : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0048378.exe -> Trojan.Qoologic : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\qvxt2.game -> Trojan.Small : No action taken.
C:\Documents and Settings\Owner\Local Settings\Temp\vx6.game -> Trojan.Small : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0050643.exe -> Trojan.Small : No action taken.
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0050647.exe -> Trojan.Small : No action taken.
C:\WINDOWS\SYSC00.exe -> Trojan.VB.tg : No action taken.
C:\WINDOWS\uni_eh.exe -> Trojan.VB.tg : No action taken.
C:\WINDOWS\unin101.exe -> Trojan.VB.tg : No action taken.


::Report end


HJT

Logfile of HijackThis v1.99.1
Scan saved at 10:41:54 AM, on 8/16/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\owjhca.exe
C:\WINDOWS\System32\fgalc.exe
C:\WINDOWS\System32\fgalc.exe
C:\WINDOWS\System32\fgalc.exe
C:\Program Files\PC Cleanup\Ewido\ewido anti-spyware 4.0\ewido.exe
C:\Program Files\PC Cleanup\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://yahoo.sbc.com/dsl
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://yahoo.sbc.com/dsl
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://mrfindalot.co....asp?xbid=14000
F2 - REG:system.ini: Shell=Explorer.exe, C:\WINDOWS\System32\fgalc.exe
F2 - REG:system.ini: UserInit=userinit.exe,pbhpmfd.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\PCCLEA~1\SpyBot\SPYBOT~1\SDHelper.dll
O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O2 - BHO: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\System32\twintqex.exe GID003
O4 - HKLM\..\Run: [WinAntiVirusPro2006] "C:\Program Files\WinAntiVirus Pro 2006\WinAV.exe" /min
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [KernelFaultCheck] %systemroot%\system32\dumprep 0 -k
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [nnnycx] C:\WINDOWS\System32\owjhca.exe reg_run
O4 - HKLM\..\Run: [HotKeysCmd] C:\WINDOWS\System32\system.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\PC Cleanup\Ewido\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\testtestt.exe
O4 - HKLM\..\RunOnce: [Spybot - Search & Destroy] "C:\Program Files\PC Cleanup\SpyBot\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKLM\..\RunOnce: [SpybotSnD] "C:\Program Files\PC Cleanup\SpyBot\Spybot - Search & Destroy\SpybotSD.exe" /autocheck
O4 - HKCU\..\Run: [kktbd] C:\WINDOWS\System32\owjhca.exe reg_run
O4 - Startup: AutoPlay.exe
O4 - Global Startup: eFax Tray Menu.lnk = C:\Program Files\eFax Messenger Plus\HotTray.exe
O4 - Global Startup: heuii.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Live Menu.lnk = C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)
O9 - Extra button: Real.com - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - C:\WINDOWS\System32\Shdocvw.dll
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast....wareControl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1155695686045
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon...5.19/ttinst.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - http://www.disney.go...GameManager.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.c...bio5_3_12_0.cab
O18 - Filter: text/html - {624A3CDB-8C0A-4902-8480-191582C8498E} - (no file)
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\PC Cleanup\Ewido\ewido anti-spyware 4.0\guard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
  • 0

Advertisements

#2
Tigger93
Posted 16 August 2006 - 01:01 PM

Tigger93

    Trusted Helper

  • Retired Staff
  • 1,870 posts
Hello and Welcome. :whistling:

Please re-open HiJackThis and click on Do a system scan only and place a checkmark next to the entries:
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://red.clientapp...//www.yahoo.com
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Bar = http://red.clientapp.../search/ie.html
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://mrfindalot.co....asp?xbid=14000

O2 - BHO: Yahoo! IE Services Button - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\Program Files\Yahoo!\Common\yiesrvc.dll (file missing)

Please close all other windows other than HiJackThis and click Fix Checked. Exit HJT.

I see you already have Ewido Anti-malware on your system. Please start Ewido--you will now need to update Ewido to the latest definition files, and configure it for scanning.
  • On the top of the main screen, click Shield.
  • Click on the word active to change it to inactive
  • On the top of the main screen click Update.
  • Then click on Start Update. The update will start and a progress bar will show the updates being installed. If you have problems with the updater, you can use Ewido's manual updater instead.
  • Once the update has completed, select the Scanner icon at the top of the screen, then select the Settings tab.
  • On the Settings screen, under the section How to act?, click on Recommended actions and then select Quarantine.
  • Under the section Reports, select Automatically generate report after every scan and un-select Only if threats were found.
Close all open windows and please do not open any new windows during the course of this scan. Open Ewido.
  • Click on Scanner.
  • Select the Scan tab.
  • Click Complete System Scan to begin scanning.
  • Once the scan is complete, if you have any infections, you will prompted to take action. Select Apply all actions at the prompt, if applicable. If you do not have any infections, there will be no prompt.
  • Click the Save report button, then click Save Report As and save it to your desktop. It is important save this file and remember where it is saved, we'll need to see it later.
  • Exit Ewido.
Restart your computer and post a new HiJackThis log and the Ewido log. :blink:
  • 0

#3
SpaceCowboy706
Posted 16 August 2006 - 04:19 PM

SpaceCowboy706

    Trusted Tech

  • Topic Starter
  • Member
  • PipPipPipPip
  • 1,175 posts
Did as you instructed and here are the log results you requested:

Logfile of HijackThis v1.99.1
Scan saved at 5:13:45 PM, on 8/16/2006
Platform: Windows XP (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 (6.00.2600.0000)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\PC Cleanup\Ewido\ewido anti-spyware 4.0\guard.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
C:\WINDOWS\system32\ps2.exe
C:\WINDOWS\System32\igfxtray.exe
C:\windows\system\hpsysdrv.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
C:\WINDOWS\System32\hkcmd.exe
C:\Program Files\PC Cleanup\Ewido\ewido anti-spyware 4.0\ewido.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\mpcsvc.exe
C:\Program Files\eFax Messenger Plus\HotTray.exe
C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
c:\Program Files\Microsoft Money\System\urlmap.exe
C:\Program Files\PC Cleanup\HiJackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us4.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Window Title = Internet Explorer Provided by Cox High Speed Internet
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R3 - URLSearchHook: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
F2 - REG:system.ini: UserInit=userinit.exe,pbhpmfd.exe
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\PCCLEA~1\SpyBot\SPYBOT~1\SDHelper.dll
O2 - BHO: DeskbarBHO - {A8B28872-3324-4CD2-8AA3-7D555C872D96} - C:\Program Files\Deskbar\deskbar.dll
O2 - BHO: (no name) - {FDD3B846-8D59-4ffb-8758-209B6AD74ACC} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O3 - Toolbar: &Radio - {8E718888-423F-11D2-876E-00A0C9082467} - C:\WINDOWS\System32\msdxm.ocx
O4 - HKLM\..\Run: [ExploreUpdSched] C:\WINDOWS\SYSTEM32\twintqex.exe GID003
O4 - HKLM\..\Run: [WinAntiVirusPro2006] "C:\Program Files\WinAntiVirus Pro 2006\WinAV.exe" /min
O4 - HKLM\..\Run: [ViewMgr] C:\Program Files\Viewpoint\Viewpoint Manager\ViewMgr.exe
O4 - HKLM\..\Run: [S3TRAY2] S3tray2.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE NvQTwk,NvCplDaemon initialize
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\System32\igfxtray.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb04.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\System32\hkcmd.exe
O4 - HKLM\..\Run: [ConMgr.exe] "C:\Program Files\EarthLink 5.0\ConMgr.exe"
O4 - HKLM\..\Run: [nnnycx] C:\WINDOWS\System32\owjhca.exe reg_run
O4 - HKLM\..\Run: [HotKeysCmd] C:\WINDOWS\System32\system.exe
O4 - HKLM\..\Run: [!ewido] "C:\Program Files\PC Cleanup\Ewido\ewido anti-spyware 4.0\ewido.exe" /minimized
O4 - HKLM\..\RunServices: [SystemTools] C:\WINDOWS\System32\testtestt.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [Yahoo! Pager] C:\PROGRA~1\Yahoo!\MESSEN~1\ypager.exe -quiet
O4 - HKCU\..\Run: [Microsoft Works Update Detection] c:\Program Files\Microsoft Works\WkDetect.exe
O4 - HKCU\..\Run: [Zero Knowledge Freedom] C:\Program Files\Zero Knowledge\Freedom\Freedom.exe
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\plugin\bin\PCHButton.exe
O4 - HKCU\..\Run: [AIM] C:\PROGRA~1\AIM95\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [kktbd] C:\WINDOWS\System32\owjhca.exe reg_run
O4 - HKCU\..\Run: [0mcamcap] C:\WINDOWS\System32\0mcamcap.exe
O4 - HKCU\..\Run: [win_drivr32] C:\WINDOWS\System32\spizohst.exe
O4 - HKCU\..\Run: [Manager e01 sp] C:\DOCUME~1\Owner\LOCALS~1\Temp\mpcsvc.exe
O4 - Startup: Think-Adz.lnk = C:\WINDOWS\SYSTEM32\twintqex.exe
O4 - Startup: Z_Start.lnk = C:\WINDOWS\SYSTEM32\dwdsregt.exe
O4 - Global Startup: eFax Tray Menu.lnk = C:\Program Files\eFax Messenger Plus\HotTray.exe
O4 - Global Startup: hp center UI.lnk = C:\Program Files\hp center\137903\Shadow\ShadowBar.exe
O4 - Global Startup: hp center.lnk = C:\Program Files\hp center\137903\Program\BackWeb-137903.exe
O4 - Global Startup: Live Menu.lnk = C:\Program Files\eFax Messenger Plus\Dllcmd32.exe
O8 - Extra context menu item: &Yahoo! Search - file:///C:\Program Files\Yahoo!\Common/ycsrch.htm
O8 - Extra context menu item: Yahoo! &Dictionary - file:///C:\Program Files\Yahoo!\Common/ycdict.htm
O8 - Extra context menu item: Yahoo! &Maps - file:///C:\Program Files\Yahoo!\Common/ycmap.htm
O8 - Extra context menu item: Yahoo! &SMS - file:///C:\Program Files\Yahoo!\Common/ycsms.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll
O9 - Extra button: Yahoo! Services - {5BAB4B5B-68BC-4B02-94D6-2FC0DE4A7897} - C:\WINDOWS\System32\shdocvw.dll
O9 - Extra button: (no name) - {CD67F990-D8E9-11d2-98FE-00C0F0318AFE} - (no file)
O9 - Extra button: MoneySide - {E023F504-0C5A-4750-A1E7-A9046DEA8A21} - c:\Program Files\Microsoft Money\System\mnyviewer.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O9 - Extra 'Tools' menuitem: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE (file missing)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.sxload.com
O16 - DPF: {352797A0-EFD0-4FA6-B229-145120EA4B8A} (Walt Disney Internet Group Hardware Control) - https://disneyblast....wareControl.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://update.micros...b?1155695686045
O16 - DPF: {C02226EB-A5D7-4B1F-BD7E-635E46C2288D} (Toontown Installer ActiveX Control) - http://download.toon...5.19/ttinst.cab
O16 - DPF: {CC32D4D8-2A0B-4CEB-B105-C9B968379105} (CGameManagerCtrl Object) - http://www.disney.go...GameManager.cab
O16 - DPF: {D18F962A-3722-4B59-B08D-28BB9EB2281E} (PhotosCtrl Class) - http://photos.yahoo....plorer1_9us.cab
O16 - DPF: {EF99BD32-C1FB-11D2-892F-0090271D4F88} (Yahoo! Toolbar) - http://us.dl1.yimg.c...bio5_3_12_0.cab
O18 - Filter: text/html - {624A3CDB-8C0A-4902-8480-191582C8498E} - (no file)
O20 - Winlogon Notify: artm_newreg - C:\Documents and Settings\All Users\Documents\Settings\artm_new.dll (file missing)
O23 - Service: ewido anti-spyware 4.0 guard - Anti-Malware Development a.s. - C:\Program Files\PC Cleanup\Ewido\ewido anti-spyware 4.0\guard.exe
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe


---------------------------------------------------------
ewido anti-spyware - Scan Report
---------------------------------------------------------

+ Created at: 5:12:23 PM 8/16/2006

+ Scan result:



C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0052880.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\System Volume Information\_restore{0A438C3B-A487-4C6D-850C-C76CC3327FD0}\RP248\A0052888.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).
C:\WINDOWS\SYSTEM32\pbhpmfd.exe -> Downloader.Qoologic.bj : Cleaned with backup (quarantined).


::Report end


PS.... On the Ewido scan I forgot to save the report after it was done, so I had to do it again (20 Minutes Later) and I noticed that it found and Quarentined the exact same thing that it did the time before.
  • 0

#4
Tigger93
Posted 16 August 2006 - 04:39 PM

Tigger93

    Trusted Helper

  • Retired Staff
  • 1,870 posts
Looking better all ready. :whistling:

Open HijackThis, click Config, click Misc Tools
Click "Open Uninstall Manager"
Click "Save List" (generates uninstall_list.txt)
Click Save, copy and paste the results in your next post.

Please download Qoofix by Rubber Ducky to your desktop.
  • Right click on the Qoofix folder, and choose "Extract All". Extract Qoofix to your C: drive
  • Close all windows and programs, including internet windows.
  • Go to C:\Qoofix and open the folder, then double click on Qoofix.exe
  • Click Begin Removal and wait for the scan to finish
  • If Qoofix finds an infection, select yes to restart your computer
  • You will now find a log from this tool, located at C:\Qoofix\Qoofix Logfile.txt Copy and paste the contents of that report into your next reply here.
Please post the Qoofix log and the Uninstall list. :blink:
  • 0

#5
SpaceCowboy706
Posted 16 August 2006 - 05:08 PM

SpaceCowboy706

    Trusted Tech

  • Topic Starter
  • Member
  • PipPipPipPip
  • 1,175 posts
Again, as You instructed and Requested:

Qoofix v1.03
by http://www.malwarebytes.org
Scan started on [8/16/2006] at [5:51:03 PM]
-------------------------------------------------------------
No malicious modules found!
-------------------------------------------------------------
No Qoologic infected files found!
-------------------------------------------------------------
Scan COMPLETED SUCCESSFULLY on [8/16/2006] at [5:52:23 PM]

Note: Some registry keys may have been removed.



Uninstall List

Ad-Aware SE Personal
Adobe Acrobat 5.0
CleanUp!
Detto IntelliMover
eFax Messenger Plus
ewido anti-spyware 4.0
Forethought
HijackThis 1.99.1
hp center
hp deskjet 845c series (Remove only)
HP Instant Support
Inactive HP Printer Drivers (Remove only)
Java 2 Runtime Environment, SE v1.4.2
Lernout & Hauspie TruVoice American English TTS Engine
McAfee.com Agent
Microsoft Excel Viewer 97
Microsoft Money 2002
Microsoft Money 2002 System Pack
Microsoft Works 6.0
Microsoft Works and Money 2002 Setup Launcher
Mozilla Firefox (1.5)
MSN Add-in for Windows Messenger
MUSICMATCH Jukebox
My Photo Center
NVIDIA Windows 2000/XP Display Drivers
PS2
Quicken Financial Center
S3 Gamma
S3 Savage4 Family Display Switch2 Utility
Search Bar
Shockwave
Sonic Foundry Super Duper Music Looper XPress
Spybot - Search & Destroy 1.4
Tcl 8.0.5 for Windows
Viewpoint Manager (Remove Only)
Viewpoint Media Player (Remove Only)
Windows XP Hotfix (SP1) [See Q308387 for more information]
Windows XP Hotfix (SP1) [See Q308676 for more information]
Windows XP Hotfix (SP1) [See Q308677 for more information]
WordPerfect Office 2002 Try Before You Buy
WordPerfect Office 2002 Try Before You Buy
  • 0

#6
Tigger93
Posted 21 August 2006 - 12:26 PM

Tigger93

    Trusted Helper

  • Retired Staff
  • 1,870 posts
Since this issue appears to be resolved ... this Topic has been closed. Glad we could help. :whistling:

If you're the topic starter, and need this topic reopened, please contact a staff member with the address of the thread.

Everyone else please begin a New Topic.
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP