Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

I need Help... Way too many pop us[RESOLVED]

Started by blinkchaser , Apr 12 2005 04:05 PM

This topic is locked

#1
blinkchaser

Posted 12 April 2005 - 04:05 PM

Member

Member
22 posts

I'd appreciate the help if anyone in here could help me figure this situation. Like 15 pop ups all come up at once and it sucks really bad.
Thanks

Logfile of HijackThis v1.99.1
Scan saved at 6:01:40 PM, on 4/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\VTTimer.exe
C:\PROGRA~1\Symantec\SAV8\vptray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ntsmod.exe
C:\WINDOWS\lqyzsvcq.exe
C:\WINDOWS\System32\vzkkak.exe
C:\WINDOWS\System32\winupdt.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Owner\Application Data\wtta.exe
C:\WINDOWS\System32\n?tdde.exe
C:\PROGRA~1\Symantec\SAV8\DefWatch.exe
C:\PROGRA~1\Symantec\SAV8\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Program Files\WinRAR\WinRAR.exe
C:\DOCUME~1\Owner\LOCALS~1\Temp\Rar$EX00.187\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...lion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.absolutepunk.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O3 - Toolbar: (no name) - {44BE0690-5429-47f0-85BB-3FFD8020233E} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Symantec\SAV8\vptray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Parallel Tasking] C:\Program Files\Parallel Tasking\ptask.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ntsmod] C:\WINDOWS\System32\ntsmod.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [tyxyghdj] C:\WINDOWS\lqyzsvcq.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vzkkak.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteims32.exe
O4 - HKLM\..\Run: [MSConfig] C:\WINDOWS\PCHealth\HelpCtr\Binaries\MSConfig.exe /auto
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Notn] C:\Documents and Settings\Owner\Application Data\wtta.exe
O4 - HKCU\..\Run: [Easq] C:\WINDOWS\System32\n?tdde.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: OfficeUpdate - C:\WINDOWS\system32\hkzjsn01.dll (file missing)
O20 - Winlogon Notify: policies - C:\WINDOWS\system32\en66l1js1.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\Symantec\SAV8\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - c:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\Symantec\SAV8\Rtvscan.exe

#2
Trevuren

Posted 12 April 2005 - 09:37 PM

Old Dog

Retired Staff
18,699 posts

Hi blinkchaser and welcome to the Geeks to Go Forums.

A preliminary review of your log denotes multiple extremely severe infections. The cleanup process will take a while and demand a lot of work on your part. Replies should be within no more than 2 days to ensure a better chance of non re-infection.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

My name is Trevuren and I will be helping you with your log.

1. Go to Geeks to Go
. Click on My Controls at the top right hand corner of the window. (make sure you have signed in first)
. In the left hand column, click "View Topics"
. If you click on the title of your post, you will be taken there

2. Also, while at the My Controls page, check the box to the right of your post and then scroll down.
.Where it says "unsubscribe" click the pull-down menu and select "immediate email notification"

3. Finally, I need you to place HijackThis into its own folder, not a Temp folder.
HJT needs to be in its own folder so that the program itself isn't deleted by accident. Having the backups could be VITAL to restoring your system if something went wrong in the FIX process!

A. Please go to your 'My Documents' folder, right-click and select 'New > Folder' and name the folder 'HijackThis'.

B. Copy HijackThis into this newly createf folder.

C. Close ALL windows except HJT

D. SCAN with HJT and SAVE LOG. (a notepad window will open with the log in it when you click Save Log) (Ctrl-A to'select all', Ctrl-C to 'copy')

E. POST the log in this thread using 'Add Reply' (Ctrl-V to 'paste')

DO NOT MAKE ANY CHANGES OR CLICK "FIX CHECKED" UNTIL WE CHECK THE LOG, AS MOST OF THE FILES ARE LEGIT AND VITAL TO THE FUNCTION OF YOUR COMPUTER

Regards,

Trevuren

#3
blinkchaser

Posted 12 April 2005 - 10:00 PM

Member

Topic Starter
Member
22 posts

Logfile of HijackThis v1.99.1
Scan saved at 11:57:13 PM, on 4/12/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Symantec\SAV8\DefWatch.exe
C:\PROGRA~1\Symantec\SAV8\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\HP\KBD\KBD.EXE
C:\WINDOWS\System32\VTTimer.exe
C:\PROGRA~1\Symantec\SAV8\vptray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\ntsmod.exe
C:\WINDOWS\lqyzsvcq.exe
C:\WINDOWS\System32\vzkkak.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\winupdt.exe
C:\WINDOWS\System32\RUNDLL32.exe
C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe
C:\DOCUME~1\ALLUSE~1\APPLIC~1\msw\BMan.exe
C:\Documents and Settings\Owner\Application Data\wtta.exe
C:\WINDOWS\System32\n?tdde.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\WINDOWS\explorer.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\rundll32.exe
C:\Documents and Settings\Owner\My Documents\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...lion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.absolutepunk.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
O3 - Toolbar: (no name) - {44BE0690-5429-47f0-85BB-3FFD8020233E} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [KBD] C:\HP\KBD\KBD.EXE
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Symantec\SAV8\vptray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Parallel Tasking] C:\Program Files\Parallel Tasking\ptask.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [ntsmod] C:\WINDOWS\System32\ntsmod.exe
O4 - HKLM\..\Run: [tyxyghdj] C:\WINDOWS\lqyzsvcq.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vzkkak.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [winupdtl] C:\WINDOWS\System32\winupdt.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [etbrun] C:\windows\system32\eliteims32.exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [offerscr.exe] "C:\WINDOWS\offerscr.exe" 1096240008 1098112886
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [BMan] C:\Documents and Settings\All Users\Application Data\msw\BMan1.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [4bklfyoo] C:\Program Files\4bklfyoo\4bklfyoo.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Notn] C:\Documents and Settings\Owner\Application Data\wtta.exe
O4 - HKCU\..\Run: [Easq] C:\WINDOWS\System32\n?tdde.exe
O4 - Startup: OpenOffice.org 1.1.3.lnk = C:\Program Files\OpenOffice.org1.1.3\program\quickstart.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: OfficeUpdate - C:\WINDOWS\system32\hkzjsn01.dll (file missing)
O20 - Winlogon Notify: SideBySide - C:\WINDOWS\system32\irlql5351.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\Symantec\SAV8\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - c:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\Symantec\SAV8\Rtvscan.exe

#4
Trevuren

Posted 12 April 2005 - 10:20 PM

Old Dog

Retired Staff
18,699 posts

Hi blinkchaser,

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Now for the difficult part. Your system is suffering from the Bube virus which is a very bad one. Some systems end up by having to be reformatted. Before we start, make sure that you backup all your important data
in case we run into major trouble.

The following link will provide you with all the information concerning the virus/trojan itself as well as the best description around as far as how to use the programs. Calamity Jane's Treatment

I would advise you to print the article out so as to have it at your fingertips. Follow the instructions to the letter. When they mean SAFE MODE do it.
When they say DISCONNECT FROM THE INTERNET do it.

When you are all finished your chores, return to this thread and post a fresh HJT log making sure that all windows are closed except for HijackThis. We will start cleaning up the remnants.

Regards,

Trevuren

#5
blinkchaser

Posted 13 April 2005 - 08:41 AM

Member

Topic Starter
Member
22 posts

Ok now that I did all that crap and found over a 150 infected things on my computer it was nuts. Now though whenever I start my computer it starts up really fast but just goes to the explorer for a few seconds then turns red and goes to a black screen and nothing works anymore. Therefore I can't get to my HijackThis folder when I'm not working in safe mode. My computer lets me do something for like 10 seconds then goes to that black screen. Heres my virus scan log ...

Statistics:
Task start time: 4/13/2005 1:14:59 AM
Task completion time: 4/13/2005 3:38:49 AM
Objects scanned: 483166
Viruses detected: 152
Viruses disinfected: 0
Objects deleted: 152
Objects quarantined: 1

Settings:
Objects to be scanned:
My Computer
If an infected object is found:
Perform recommended action
Scan level:
Maximum Protection
Objects to be excluded from the scan scope:
Option not used

Report:
rundll32.exe\guard.tmp is infected with a virus not-a-virus:AdWare.Look2Me.ab 4/13/2005 1:15:00 AM
rundll32.exe\guard.tmp deleted 4/13/2005 1:15:00 AM
C:\WINDOWS\system32\guard.tmp is infected with a virus not-a-virus:AdWare.Look2Me.ab 4/13/2005 1:15:00 AM
C:\WINDOWS\system32\guard.tmp moved to the backup storage 4/13/2005 1:15:00 AM
C:\WINDOWS\system32\guard.tmp deleted 4/13/2005 1:15:00 AM
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\YTQTGTQH\i282[1].exe is infected with a virus Trojan-Downloader.Win32.Qoologic.i 4/13/2005 1:15:30 AM
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\YTQTGTQH\i282[1].exe moved to the backup storage 4/13/2005 1:15:30 AM
C:\Documents and Settings\Administrator\Local Settings\Temporary Internet Files\Content.IE5\YTQTGTQH\i282[1].exe deleted 4/13/2005 1:15:30 AM
C:\Documents and Settings\All Users\Application Data\msw\MSW.exe is infected with a virus not-a-virus:AdWare.Searcher.h 4/13/2005 1:15:53 AM
C:\Documents and Settings\All Users\Application Data\msw\MSW.exe moved to the backup storage 4/13/2005 1:15:53 AM
C:\Documents and Settings\All Users\Application Data\msw\MSW.exe deleted 4/13/2005 1:15:53 AM
C:\Documents and Settings\All Users\Application Data\wsxs\patchme.exe is infected with a virus not-a-virus:AdWare.DelphinMedia.Viewer.f 4/13/2005 1:16:12 AM
C:\Documents and Settings\All Users\Application Data\wsxs\patchme.exe moved to the backup storage 4/13/2005 1:16:12 AM
C:\Documents and Settings\All Users\Application Data\wsxs\patchme.exe deleted 4/13/2005 1:16:13 AM
C:\Documents and Settings\Owner\inetFuel.exe/data0002 is infected with a virus not-a-virus:AdWare.MetaDirect.a 4/13/2005 1:16:38 AM
C:\Documents and Settings\Owner\inetFuel.exe moved to the backup storage 4/13/2005 1:16:38 AM
C:\Documents and Settings\Owner\inetFuel.exe deleted 4/13/2005 1:16:38 AM
C:\Documents and Settings\Owner\Application Data\wtta.exe is infected with a virus not-a-virus:AdWare.PurityScan.w 4/13/2005 1:16:39 AM
C:\Documents and Settings\Owner\Application Data\wtta.exe moved to the backup storage 4/13/2005 1:16:40 AM
C:\Documents and Settings\Owner\Application Data\wtta.exe deleted 4/13/2005 1:16:40 AM
C:\Documents and Settings\Owner\Desktop\winfix.exe\WinFix.apm\ams_xml_pl.xml password protected, has not been processed 4/13/2005 1:18:17 AM
C:\Documents and Settings\Owner\Desktop\winfix.exe\WinFix.apm\ams_xml_temp.xml password protected, has not been processed 4/13/2005 1:18:17 AM
C:\Documents and Settings\Owner\Local Settings\Temp\!update.exe is infected with a virus not-a-virus:AdWare.PurityScan.w 4/13/2005 1:18:38 AM
C:\Documents and Settings\Owner\Local Settings\Temp\!update.exe moved to the backup storage 4/13/2005 1:18:38 AM
C:\Documents and Settings\Owner\Local Settings\Temp\!update.exe deleted 4/13/2005 1:18:38 AM
C:\Documents and Settings\Owner\Local Settings\Temp\2724.exe is infected with a virus Trojan-Downloader.Win32.Small.aja 4/13/2005 1:18:38 AM
C:\Documents and Settings\Owner\Local Settings\Temp\2724.exe moved to the backup storage 4/13/2005 1:18:39 AM
C:\Documents and Settings\Owner\Local Settings\Temp\2724.exe deleted 4/13/2005 1:18:39 AM
C:\Documents and Settings\Owner\Local Settings\Temp\ahreco.exe is infected with a virus not-a-virus:AdWare.BetterInternet 4/13/2005 1:18:39 AM
C:\Documents and Settings\Owner\Local Settings\Temp\ahreco.exe moved to the backup storage 4/13/2005 1:18:40 AM
C:\Documents and Settings\Owner\Local Settings\Temp\ahreco.exe deleted 4/13/2005 1:18:40 AM
C:\Documents and Settings\Owner\Local Settings\Temp\akcore.dll is infected with a virus not-a-virus:AdWare.Coreak 4/13/2005 1:18:40 AM
C:\Documents and Settings\Owner\Local Settings\Temp\akcore.dll moved to the backup storage 4/13/2005 1:18:40 AM
C:\Documents and Settings\Owner\Local Settings\Temp\akcore.dll deleted 4/13/2005 1:18:40 AM
C:\Documents and Settings\Owner\Local Settings\Temp\aklsp.dll is infected with a virus Trojan-Downloader.Win32.Agent.br 4/13/2005 1:18:40 AM
C:\Documents and Settings\Owner\Local Settings\Temp\aklsp.dll moved to the backup storage 4/13/2005 1:18:40 AM
C:\Documents and Settings\Owner\Local Settings\Temp\aklsp.dll deleted 4/13/2005 1:18:40 AM
C:\Documents and Settings\Owner\Local Settings\Temp\akrules.dll is infected with a virus Trojan-Downloader.Win32.Agent.bt 4/13/2005 1:18:40 AM
C:\Documents and Settings\Owner\Local Settings\Temp\akrules.dll moved to the backup storage 4/13/2005 1:18:41 AM
C:\Documents and Settings\Owner\Local Settings\Temp\akrules.dll deleted 4/13/2005 1:18:41 AM
C:\Documents and Settings\Owner\Local Settings\Temp\bw2.com is infected with a virus Trojan-Downloader.Win32.Small.ru 4/13/2005 1:18:41 AM
C:\Documents and Settings\Owner\Local Settings\Temp\bw2.com moved to the backup storage 4/13/2005 1:18:42 AM
C:\Documents and Settings\Owner\Local Settings\Temp\bw2.com deleted 4/13/2005 1:18:42 AM
C:\Documents and Settings\Owner\Local Settings\Temp\bw2.exe is infected with a virus Trojan-Downloader.Win32.Small.ru 4/13/2005 1:18:42 AM
C:\Documents and Settings\Owner\Local Settings\Temp\bw2.exe moved to the backup storage 4/13/2005 1:18:42 AM
C:\Documents and Settings\Owner\Local Settings\Temp\bw2.exe deleted 4/13/2005 1:18:42 AM
C:\Documents and Settings\Owner\Local Settings\Temp\mm_reco.exe is infected with a virus not-a-virus:AdWare.BetterInternet 4/13/2005 1:18:47 AM
C:\Documents and Settings\Owner\Local Settings\Temp\mm_reco.exe moved to the backup storage 4/13/2005 1:18:48 AM
C:\Documents and Settings\Owner\Local Settings\Temp\mm_reco.exe deleted 4/13/2005 1:18:48 AM
C:\Documents and Settings\Owner\Local Settings\Temp\nsdtmp09.dll is infected with a virus not-a-virus:AdWare.MetaDirect.a 4/13/2005 1:18:48 AM
C:\Documents and Settings\Owner\Local Settings\Temp\nsdtmp09.dll moved to the backup storage 4/13/2005 1:18:49 AM
C:\Documents and Settings\Owner\Local Settings\Temp\nsdtmp09.dll deleted 4/13/2005 1:18:49 AM
C:\Documents and Settings\Owner\Local Settings\Temp\ping41.exe is infected with a virus Trojan-Downloader.Win32.Agent.fk 4/13/2005 1:18:49 AM
C:\Documents and Settings\Owner\Local Settings\Temp\ping41.exe moved to the backup storage 4/13/2005 1:18:49 AM
C:\Documents and Settings\Owner\Local Settings\Temp\ping41.exe deleted 4/13/2005 1:18:49 AM
C:\Documents and Settings\Owner\Local Settings\Temp\powerscan.exe is infected with a virus not-a-virus:AdWare.PowerScan.b 4/13/2005 1:18:49 AM
C:\Documents and Settings\Owner\Local Settings\Temp\powerscan.exe moved to the backup storage 4/13/2005 1:18:49 AM
C:\Documents and Settings\Owner\Local Settings\Temp\powerscan.exe deleted 4/13/2005 1:18:49 AM
C:\Documents and Settings\Owner\Local Settings\Temp\se.exe/data0002 is infected with a virus not-a-virus:AdWare.WindowEnhancer 4/13/2005 1:18:50 AM
C:\Documents and Settings\Owner\Local Settings\Temp\se.exe moved to the backup storage 4/13/2005 1:18:50 AM
C:\Documents and Settings\Owner\Local Settings\Temp\se.exe deleted 4/13/2005 1:18:50 AM
C:\Documents and Settings\Owner\Local Settings\Temp\sysgxnt.exe is infected with a virus Trojan-Downloader.Win32.IstBar.gen 4/13/2005 1:18:53 AM
C:\Documents and Settings\Owner\Local Settings\Temp\sysgxnt.exe moved to the backup storage 4/13/2005 1:18:53 AM
C:\Documents and Settings\Owner\Local Settings\Temp\sysgxnt.exe deleted 4/13/2005 1:18:53 AM
C:\Documents and Settings\Owner\Local Settings\Temp\targetsaver.exe/WISE0001.BIN is infected with a virus Trojan-Downloader.Win32.TSUpdate.f 4/13/2005 1:18:54 AM
C:\Documents and Settings\Owner\Local Settings\Temp\targetsaver.exe moved to the backup storage 4/13/2005 1:18:54 AM
C:\Documents and Settings\Owner\Local Settings\Temp\targetsaver.exe deleted 4/13/2005 1:18:54 AM
C:\Documents and Settings\Owner\Local Settings\Temp\temp.fr2BCC is infected with a virus not-a-virus:AdWare.EZula.ae 4/13/2005 1:18:54 AM
C:\Documents and Settings\Owner\Local Settings\Temp\temp.fr2BCC moved to the backup storage 4/13/2005 1:18:54 AM
C:\Documents and Settings\Owner\Local Settings\Temp\temp.fr2BCC deleted 4/13/2005 1:18:54 AM
C:\Documents and Settings\Owner\Local Settings\Temp\temp.fr6DE0/WISE0001.BIN is infected with a virus not-a-virus:AdWare.EZula.ak 4/13/2005 1:18:55 AM
C:\Documents and Settings\Owner\Local Settings\Temp\temp.fr6DE0 moved to the backup storage 4/13/2005 1:18:55 AM
C:\Documents and Settings\Owner\Local Settings\Temp\temp.fr6DE0 deleted 4/13/2005 1:18:55 AM
C:\Documents and Settings\Owner\Local Settings\Temp\thnoffer.exe is infected with a virus not-a-virus:AdWare.BetterInternet 4/13/2005 1:18:55 AM
C:\Documents and Settings\Owner\Local Settings\Temp\thnoffer.exe moved to the backup storage 4/13/2005 1:18:56 AM
C:\Documents and Settings\Owner\Local Settings\Temp\thnoffer.exe deleted 4/13/2005 1:18:56 AM
C:\Documents and Settings\Owner\Local Settings\Temp\tp7543.exe is infected with a virus Trojan-Downloader.Win32.Qoologic.i 4/13/2005 1:18:56 AM
C:\Documents and Settings\Owner\Local Settings\Temp\tp7543.exe moved to the backup storage 4/13/2005 1:18:56 AM
C:\Documents and Settings\Owner\Local Settings\Temp\tp7543.exe deleted 4/13/2005 1:18:56 AM
C:\Documents and Settings\Owner\Local Settings\Temp\tsinstall_4_0_3_7.exe/WISE0001.BIN is infected with a virus Trojan-Downloader.Win32.TSUpdate.i 4/13/2005 1:18:56 AM
C:\Documents and Settings\Owner\Local Settings\Temp\tsinstall_4_0_3_7.exe moved to the backup storage 4/13/2005 1:18:57 AM
C:\Documents and Settings\Owner\Local Settings\Temp\tsinstall_4_0_3_7.exe deleted 4/13/2005 1:18:58 AM
C:\Documents and Settings\Owner\Local Settings\Temp\uppicsvr.exe is infected with a virus not-a-virus:AdWare.DelphinMedia.Viewer.f 4/13/2005 1:19:00 AM
C:\Documents and Settings\Owner\Local Settings\Temp\uppicsvr.exe moved to the backup storage 4/13/2005 1:19:00 AM
C:\Documents and Settings\Owner\Local Settings\Temp\uppicsvr.exe deleted 4/13/2005 1:19:00 AM
C:\Documents and Settings\Owner\Local Settings\Temp\webrebates.exe/data0003/data0001 is infected with a virus not-a-virus:AdWare.WebRebates.g 4/13/2005 1:19:00 AM
C:\Documents and Settings\Owner\Local Settings\Temp\webrebates.exe moved to the backup storage 4/13/2005 1:19:01 AM
C:\Documents and Settings\Owner\Local Settings\Temp\webrebates.exe is infected with a virus not-a-virus:AdWare.WebRebates.g 4/13/2005 1:19:01 AM
C:\Documents and Settings\Owner\Local Settings\Temp\webrebates.exe deleted 4/13/2005 1:19:01 AM
C:\Documents and Settings\Owner\Local Settings\Temp\whenu.exe/data0001.cab\VVSN.exe is infected with a virus not-a-virus:AdWare.SaveNow.z 4/13/2005 1:19:01 AM
C:\Documents and Settings\Owner\Local Settings\Temp\whenu.exe moved to the backup storage 4/13/2005 1:19:01 AM
C:\Documents and Settings\Owner\Local Settings\Temp\whenu.exe/data0001.cab\VVSN.exe cannot be deleted, object cannot be disinfected 4/13/2005 1:19:01 AM
C:\Documents and Settings\Owner\Local Settings\Temp\whenu.exe/data0001.cab is infected with a virus not-a-virus:AdWare.SaveNow.z 4/13/2005 1:19:01 AM
C:\Documents and Settings\Owner\Local Settings\Temp\whenu.exe is infected with a virus not-a-virus:AdWare.SaveNow.z 4/13/2005 1:19:01 AM
C:\Documents and Settings\Owner\Local Settings\Temp\whenu.exe deleted 4/13/2005 1:19:01 AM
C:\Documents and Settings\Owner\Local Settings\Temp\B228120006\build2.exe/data0002 is infected with a virus not-a-virus:AdWare.ToolBar.ISearch.d 4/13/2005 1:19:05 AM
C:\Documents and Settings\Owner\Local Settings\Temp\B228120006\build2.exe moved to the backup storage 4/13/2005 1:19:05 AM
C:\Documents and Settings\Owner\Local Settings\Temp\B228120006\build2.exe is infected with a virus not-a-virus:AdWare.ToolBar.ISearch.d 4/13/2005 1:19:05 AM
C:\Documents and Settings\Owner\Local Settings\Temp\B228120006\build2.exe deleted 4/13/2005 1:19:05 AM
C:\Documents and Settings\Owner\Local Settings\Temp\DrTemp\thnall1p.exe is infected with a virus not-a-virus:AdWare.BetterInternet 4/13/2005 1:19:10 AM
C:\Documents and Settings\Owner\Local Settings\Temp\DrTemp\thnall1p.exe moved to the backup storage 4/13/2005 1:19:10 AM
C:\Documents and Settings\Owner\Local Settings\Temp\DrTemp\thnall1p.exe deleted 4/13/2005 1:19:10 AM
C:\Documents and Settings\Owner\Local Settings\Temp\temp.fr0351\eabh.dll is infected with a virus not-a-virus:AdWare.EZula.x 4/13/2005 1:19:13 AM
C:\Documents and Settings\Owner\Local Settings\Temp\temp.fr0351\eabh.dll moved to the backup storage 4/13/2005 1:19:13 AM
C:\Documents and Settings\Owner\Local Settings\Temp\temp.fr0351\eabh.dll deleted 4/13/2005 1:19:13 AM
C:\Documents and Settings\Owner\Local Settings\Temp\temp.fr0351\mmod.exe is infected with a virus not-a-virus:AdWare.EZula.z 4/13/2005 1:19:14 AM
C:\Documents and Settings\Owner\Local Settings\Temp\temp.fr0351\mmod.exe moved to the backup storage 4/13/2005 1:19:14 AM
C:\Documents and Settings\Owner\Local Settings\Temp\temp.fr0351\mmod.exe deleted 4/13/2005 1:19:14 AM
C:\Documents and Settings\Owner\Local Settings\Temp\temp.fr0351\seng.dll is infected with a virus not-a-virus:AdWare.EZula.ab 4/13/2005 1:19:14 AM
C:\Documents and Settings\Owner\Local Settings\Temp\temp.fr0351\seng.dll moved to the backup storage 4/13/2005 1:19:14 AM
C:\Documents and Settings\Owner\Local Settings\Temp\temp.fr0351\seng.dll deleted 4/13/2005 1:19:14 AM
C:\Documents and Settings\Owner\Local Settings\Temp\temp.frA936\tsl2.exe is infected with a virus Trojan-Downloader.Win32.TSUpdate.g 4/13/2005 1:19:15 AM
C:\Documents and Settings\Owner\Local Settings\Temp\temp.frA936\tsl2.exe moved to the backup storage 4/13/2005 1:19:15 AM
C:\Documents and Settings\Owner\Local Settings\Temp\temp.frA936\tsl2.exe deleted 4/13/2005 1:19:15 AM
C:\Documents and Settings\Owner\Local Settings\Temp\temp.frA936\tsp2.exe is infected with a virus Trojan-Downloader.Win32.TSUpdate.g 4/13/2005 1:19:15 AM
C:\Documents and Settings\Owner\Local Settings\Temp\temp.frA936\tsp2.exe moved to the backup storage 4/13/2005 1:19:15 AM
C:\Documents and Settings\Owner\Local Settings\Temp\temp.frA936\tsp2.exe deleted 4/13/2005 1:19:15 AM
C:\Documents and Settings\Owner\Local Settings\Temp\THI4CC5.tmp\offerscr.cab\offerscr.exe is infected with a virus not-a-virus:AdWare.AdSquash.a 4/13/2005 1:19:16 AM
C:\Documents and Settings\Owner\Local Settings\Temp\THI4CC5.tmp\offerscr.cab moved to the backup storage 4/13/2005 1:19:16 AM
C:\Documents and Settings\Owner\Local Settings\Temp\THI4CC5.tmp\offerscr.cab\offerscr.exe deleted 4/13/2005 1:19:16 AM
C:\Documents and Settings\Owner\Local Settings\Temp\THI4CC5.tmp\offerscr.exe is infected with a virus not-a-virus:AdWare.AdSquash.a 4/13/2005 1:19:16 AM
C:\Documents and Settings\Owner\Local Settings\Temp\THI4CC5.tmp\offerscr.exe moved to the backup storage 4/13/2005 1:19:16 AM
C:\Documents and Settings\Owner\Local Settings\Temp\THI4CC5.tmp\offerscr.exe deleted 4/13/2005 1:19:16 AM
C:\Documents and Settings\Owner\Local Settings\Temp\THI6CA7.tmp\ahexe.exe is infected with a virus not-a-virus:AdWare.BiSpy.t 4/13/2005 1:19:17 AM
C:\Documents and Settings\Owner\Local Settings\Temp\THI6CA7.tmp\ahexe.exe moved to the backup storage 4/13/2005 1:19:17 AM
C:\Documents and Settings\Owner\Local Settings\Temp\THI6CA7.tmp\ahexe.exe deleted 4/13/2005 1:19:17 AM
C:\Documents and Settings\Owner\Local Settings\Temp\vmstmp\vmstmp.exe is infected with a virus not-a-virus:AdWare.DelphinMediaViewer.c 4/13/2005 1:19:17 AM
C:\Documents and Settings\Owner\Local Settings\Temp\vmstmp\vmstmp.exe moved to the backup storage 4/13/2005 1:19:17 AM
C:\Documents and Settings\Owner\Local Settings\Temp\vmstmp\vmstmp.exe deleted 4/13/2005 1:19:17 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0DU70X6J\protector[1].exe is a Trojan Trojan.Win32.StartPage.nk 4/13/2005 1:21:40 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0DU70X6J\protector[1].exe moved to the backup storage 4/13/2005 1:21:40 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0DU70X6J\protector[1].exe deleted 4/13/2005 1:21:40 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0DU70X6J\stats12[1].htm is infected with a virus Exploit.HTML.Mht 4/13/2005 1:21:44 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0DU70X6J\stats12[1].htm moved to the backup storage 4/13/2005 1:21:45 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0DU70X6J\stats12[1].htm deleted 4/13/2005 1:21:45 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0DU70X6J\WinTS[1].cab\WToolsS.exe is infected with a virus Trojan-Downloader.Win32.Wintool.f 4/13/2005 1:21:48 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0DU70X6J\WinTS[1].cab moved to the backup storage 4/13/2005 1:21:48 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0DU70X6J\WinTS[1].cab\WToolsS.exe deleted 4/13/2005 1:21:48 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0DU70X6J\woinstall[1].exe/WISE0001.BIN is infected with a virus not-a-virus:AdWare.EZula.ak 4/13/2005 1:21:48 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0DU70X6J\woinstall[1].exe moved to the backup storage 4/13/2005 1:21:48 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\0DU70X6J\woinstall[1].exe deleted 4/13/2005 1:21:48 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\1BIMBUGB\100[1].bin is infected with a virus not-a-virus:AdWare.BetterInternet 4/13/2005 1:21:49 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\1BIMBUGB\100[1].bin moved to the backup storage 4/13/2005 1:21:49 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\1BIMBUGB\100[1].bin deleted 4/13/2005 1:21:49 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\1BIMBUGB\121[1].bin/data0006 is infected with a virus not-a-virus:AdWare.ToolBar.BrowserVillage.b 4/13/2005 1:21:50 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\1BIMBUGB\121[1].bin moved to the backup storage 4/13/2005 1:21:50 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\1BIMBUGB\121[1].bin deleted 4/13/2005 1:21:50 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\1BIMBUGB\68[1].bin is infected with a virus not-a-virus:AdWare.SurfSide.j 4/13/2005 1:21:53 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\1BIMBUGB\68[1].bin moved to the backup storage 4/13/2005 1:21:53 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\1BIMBUGB\68[1].bin deleted 4/13/2005 1:21:53 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\1BIMBUGB\TBPSSvc[1].cab\TBPSSvc.exe is infected with a virus not-a-virus:AdWare.WebSearch.f 4/13/2005 1:22:09 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\1BIMBUGB\TBPSSvc[1].cab moved to the backup storage 4/13/2005 1:22:09 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\1BIMBUGB\TBPSSvc[1].cab\TBPSSvc.exe deleted 4/13/2005 1:22:09 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8L2Z412J\122[1].bin\UCMTSAIE.DLL is infected with a virus not-a-virus:AdWare.ToolBar.Ucmore.a 4/13/2005 1:22:12 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8L2Z412J\122[1].bin moved to the backup storage 4/13/2005 1:22:12 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8L2Z412J\122[1].bin is infected with a virus not-a-virus:AdWare.ToolBar.Ucmore.a 4/13/2005 1:22:12 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8L2Z412J\122[1].bin deleted 4/13/2005 1:22:12 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8L2Z412J\29[1].bin is infected with a virus Trojan-Dropper.Win32.Delf.z 4/13/2005 1:22:14 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8L2Z412J\29[1].bin moved to the backup storage 4/13/2005 1:22:14 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8L2Z412J\29[1].bin deleted 4/13/2005 1:22:14 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8L2Z412J\93[1].bin is infected with a virus Trojan-Dropper.Win32.Agent.hk 4/13/2005 1:22:16 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8L2Z412J\93[1].bin moved to the backup storage 4/13/2005 1:22:16 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8L2Z412J\93[1].bin deleted 4/13/2005 1:22:16 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8L2Z412J\aun_0018[1].exe is infected with a virus Trojan-Downloader.Win32.Small.akz 4/13/2005 1:22:18 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8L2Z412J\aun_0018[1].exe moved to the backup storage 4/13/2005 1:22:18 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8L2Z412J\aun_0018[1].exe deleted 4/13/2005 1:22:18 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8L2Z412J\BM2[1].dll is infected with a virus Trojan-Downloader.Win32.Agent.jt 4/13/2005 1:22:18 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8L2Z412J\BM2[1].dll moved to the backup storage 4/13/2005 1:22:18 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\8L2Z412J\BM2[1].dll deleted 4/13/2005 1:22:18 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ERSEC4WI\AppWrap[3].exe is infected with a virus Trojan-Dropper.Win32.Small.of 4/13/2005 1:22:39 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ERSEC4WI\AppWrap[3].exe moved to the backup storage 4/13/2005 1:22:39 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ERSEC4WI\AppWrap[3].exe deleted 4/13/2005 1:22:39 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ERSEC4WI\i282[1].exe is infected with a virus Trojan-Downloader.Win32.Qoologic.i 4/13/2005 1:22:46 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ERSEC4WI\i282[1].exe moved to the backup storage 4/13/2005 1:22:46 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ERSEC4WI\i282[1].exe deleted 4/13/2005 1:22:46 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ERSEC4WI\MediaPass[1].exe is infected with a virus not-a-virus:AdWare.WinAD.af 4/13/2005 1:22:49 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ERSEC4WI\MediaPass[1].exe moved to the backup storage 4/13/2005 1:22:49 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ERSEC4WI\MediaPass[1].exe deleted 4/13/2005 1:22:49 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ERSEC4WI\protector_update[1].exe is a Trojan Trojan.Win32.StartPage.nk 4/13/2005 1:22:51 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ERSEC4WI\protector_update[1].exe moved to the backup storage 4/13/2005 1:22:51 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ERSEC4WI\protector_update[1].exe deleted 4/13/2005 1:22:51 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ERSEC4WI\QDow_AS2[1].cab\QDow_AS2.dll is infected with a virus Trojan-Downloader.Win32.QDown.s 4/13/2005 1:22:51 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ERSEC4WI\QDow_AS2[1].cab moved to the backup storage 4/13/2005 1:22:51 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ERSEC4WI\QDow_AS2[1].cab\QDow_AS2.dll deleted 4/13/2005 1:22:51 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ERSEC4WI\sideb[1].exe is infected with a virus not-a-virus:AdWare.ToolBar.EliteBar.z 4/13/2005 1:22:53 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ERSEC4WI\sideb[1].exe moved to the backup storage 4/13/2005 1:22:53 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ERSEC4WI\sideb[1].exe deleted 4/13/2005 1:22:53 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ERSEC4WI\stats22[1].htm is infected with a virus Exploit.HTML.Mht 4/13/2005 1:22:54 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ERSEC4WI\stats22[1].htm moved to the backup storage 4/13/2005 1:22:54 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ERSEC4WI\stats22[1].htm deleted 4/13/2005 1:22:54 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ERSEC4WI\stats25[1].htm is infected with a virus Exploit.HTML.Mht 4/13/2005 1:22:54 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ERSEC4WI\stats25[1].htm moved to the backup storage 4/13/2005 1:22:54 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ERSEC4WI\stats25[1].htm deleted 4/13/2005 1:22:54 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ERSEC4WI\thnall1p[1].exe is infected with a virus not-a-virus:AdWare.BetterInternet 4/13/2005 1:22:55 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ERSEC4WI\thnall1p[1].exe moved to the backup storage 4/13/2005 1:22:55 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\ERSEC4WI\thnall1p[1].exe deleted 4/13/2005 1:22:55 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\G5Y38DA3\!update-1764[1].0000 is infected with a virus not-a-virus:AdWare.PurityScan.v 4/13/2005 1:22:56 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\G5Y38DA3\!update-1764[1].0000 moved to the backup storage 4/13/2005 1:22:56 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\G5Y38DA3\!update-1764[1].0000 deleted 4/13/2005 1:22:56 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\G5Y38DA3\105[1].bin is infected with a virus not-a-virus:AdWare.BetterInternet 4/13/2005 1:22:57 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\G5Y38DA3\105[1].bin moved to the backup storage 4/13/2005 1:22:57 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\G5Y38DA3\105[1].bin deleted 4/13/2005 1:22:57 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\G5Y38DA3\36[1].bin/WISE0006.BIN is infected with a virus not-a-virus:AdWare.VirtualBouncer.c 4/13/2005 1:22:59 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\G5Y38DA3\36[1].bin moved to the backup storage 4/13/2005 1:22:59 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\G5Y38DA3\36[1].bin is infected with a virus not-a-virus:AdWare.VirtualBouncer.c 4/13/2005 1:22:59 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\G5Y38DA3\36[1].bin deleted 4/13/2005 1:22:59 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\G5Y38DA3\MediaPassC[1].dll is infected with a virus not-a-virus:AdWare.WinAD.af 4/13/2005 1:23:09 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\G5Y38DA3\MediaPassC[1].dll moved to the backup storage 4/13/2005 1:23:09 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\G5Y38DA3\MediaPassC[1].dll deleted 4/13/2005 1:23:09 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\G5Y38DA3\winupdt[1].exe is infected with a virus Trojan-Downloader.Win32.Agent.jq 4/13/2005 1:23:16 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\G5Y38DA3\winupdt[1].exe moved to the backup storage 4/13/2005 1:23:16 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\G5Y38DA3\winupdt[1].exe deleted 4/13/2005 1:23:16 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\O456DDLG\119[1].bin is infected with a virus not-a-virus:AdWare.EZula.z 4/13/2005 1:23:17 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\O456DDLG\119[1].bin moved to the backup storage 4/13/2005 1:23:17 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\O456DDLG\119[1].bin deleted 4/13/2005 1:23:17 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\O456DDLG\120[1].bin is infected with a modification of a virus Trojan-Downloader.Win32.QDown.q 4/13/2005 1:23:17 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\O456DDLG\120[1].bin quarantined 4/13/2005 1:23:17 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\O456DDLG\120[1].bin deleted 4/13/2005 1:23:17 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\O456DDLG\65[1].bin is infected with a virus Trojan-Downloader.Win32.Agent.jq 4/13/2005 1:23:20 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\O456DDLG\65[1].bin moved to the backup storage 4/13/2005 1:23:20 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\O456DDLG\65[1].bin deleted 4/13/2005 1:23:20 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\O456DDLG\package_MARKETING17[1].exe/stream/data0002 is infected with a virus not-a-virus:AdWare.BargainBuddy.q 4/13/2005 1:23:33 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\O456DDLG\package_MARKETING17[1].exe moved to the backup storage 4/13/2005 1:23:33 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\O456DDLG\package_MARKETING17[1].exe is infected with a virus not-a-virus:AdWare.BargainBuddy.q 4/13/2005 1:23:33 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\O456DDLG\package_MARKETING17[1].exe deleted 4/13/2005 1:23:33 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\O456DDLG\pcs_0008[1].exe is infected with a virus not-a-virus:AdWare.Pacer.b 4/13/2005 1:23:33 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\O456DDLG\pcs_0008[1].exe moved to the backup storage 4/13/2005 1:23:34 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\O456DDLG\pcs_0008[1].exe deleted 4/13/2005 1:23:34 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\O456DDLG\track6[1].htm is infected with a virus Exploit.HTML.Mht 4/13/2005 1:23:38 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\O456DDLG\track6[1].htm moved to the backup storage 4/13/2005 1:23:38 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\O456DDLG\track6[1].htm deleted 4/13/2005 1:23:38 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\W5QV4LIB\26[1].bin is infected with a virus not-a-virus:AdWare.ToolBar.MyWay.j 4/13/2005 1:23:41 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\W5QV4LIB\26[1].bin moved to the backup storage 4/13/2005 1:23:41 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\W5QV4LIB\26[1].bin deleted 4/13/2005 1:23:41 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\W5QV4LIB\84[1].bin is infected with a virus not-a-virus:AdWare.WinAD.ab 4/13/2005 1:23:42 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\W5QV4LIB\84[1].bin moved to the backup storage 4/13/2005 1:23:43 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\W5QV4LIB\84[1].bin deleted 4/13/2005 1:23:43 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\W5QV4LIB\87[1].bin is infected with a virus Trojan-Downloader.Win32.Adload.a 4/13/2005 1:23:43 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\W5QV4LIB\87[1].bin moved to the backup storage 4/13/2005 1:23:43 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\W5QV4LIB\87[1].bin deleted 4/13/2005 1:23:43 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\W5QV4LIB\MediaPassK[1].exe is infected with a virus not-a-virus:AdWare.WinAD.af 4/13/2005 1:23:51 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\W5QV4LIB\MediaPassK[1].exe moved to the backup storage 4/13/2005 1:23:52 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\W5QV4LIB\MediaPassK[1].exe deleted 4/13/2005 1:23:52 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\XPWC4HFY\!update-1784[1].0000 is infected with a virus not-a-virus:AdWare.PurityScan.w 4/13/2005 1:23:59 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\XPWC4HFY\!update-1784[1].0000 moved to the backup storage 4/13/2005 1:24:00 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\XPWC4HFY\!update-1784[1].0000 deleted 4/13/2005 1:24:00 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\XPWC4HFY\25[1].bin/data0003/data0001 is infected with a virus not-a-virus:AdWare.WebRebates.g 4/13/2005 1:24:01 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\XPWC4HFY\25[1].bin moved to the backup storage 4/13/2005 1:24:02 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\XPWC4HFY\25[1].bin is infected with a virus not-a-virus:AdWare.WebRebates.g 4/13/2005 1:24:02 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\XPWC4HFY\25[1].bin deleted 4/13/2005 1:24:02 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\XPWC4HFY\27[1].bin is infected with a virus Trojan-Dropper.Win32.Small.mr 4/13/2005 1:24:02 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\XPWC4HFY\27[1].bin moved to the backup storage 4/13/2005 1:24:02 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\XPWC4HFY\27[1].bin deleted 4/13/2005 1:24:02 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\XPWC4HFY\42[1].bin is infected with a virus Trojan-Dropper.Win32.Agent.hk 4/13/2005 1:24:03 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\XPWC4HFY\42[1].bin moved to the backup storage 4/13/2005 1:24:03 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\XPWC4HFY\42[1].bin deleted 4/13/2005 1:24:03 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\XPWC4HFY\AppWrap[2].exe is infected with a virus Trojan-Downloader.Win32.Small.ru 4/13/2005 1:24:06 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\XPWC4HFY\AppWrap[2].exe moved to the backup storage 4/13/2005 1:24:06 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\XPWC4HFY\AppWrap[2].exe deleted 4/13/2005 1:24:06 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\XPWC4HFY\EliteBar60[1].dll is infected with a virus not-a-virus:AdWare.ToolBar.EliteBar.af 4/13/2005 1:24:11 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\XPWC4HFY\EliteBar60[1].dll moved to the backup storage 4/13/2005 1:24:11 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\XPWC4HFY\EliteBar60[1].dll deleted 4/13/2005 1:24:11 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\XPWC4HFY\eZinstall[1].exe/WISE0001.BIN is infected with a virus not-a-virus:AdWare.EZula.ak 4/13/2005 1:24:11 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\XPWC4HFY\eZinstall[1].exe moved to the backup storage 4/13/2005 1:24:12 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\XPWC4HFY\eZinstall[1].exe deleted 4/13/2005 1:24:12 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\XPWC4HFY\pcs_0006[1].exe is infected with a virus not-a-virus:AdWare.Pacer.b 4/13/2005 1:24:16 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\XPWC4HFY\pcs_0006[1].exe moved to the backup storage 4/13/2005 1:24:17 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\XPWC4HFY\pcs_0006[1].exe deleted 4/13/2005 1:24:17 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\XPWC4HFY\stats25[1].htm is infected with a virus Exploit.HTML.Mht 4/13/2005 1:24:20 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\XPWC4HFY\stats25[1].htm moved to the backup storage 4/13/2005 1:24:20 AM
C:\Documents and Settings\Owner\Local Settings\Temporary Internet Files\Content.IE5\XPWC4HFY\stats25[1].htm deleted 4/13/2005 1:24:20 AM
C:\Program Files\ProcManager.exe is infected with a virus not-a-virus:RiskWare.Tool.PsKill.a 4/13/2005 1:57:27 AM
C:\Program Files\ProcManager.exe moved to the backup storage 4/13/2005 1:57:29 AM
C:\Program Files\ProcManager.exe deleted 4/13/2005 1:57:29 AM
C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe is infected with a virus not-a-virus:AdWare.DelphinMedia.Viewer.f 4/13/2005 2:01:21 AM
C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe moved to the backup storage 4/13/2005 2:01:21 AM
C:\Program Files\Common Files\Uninstall Information\RemoveDisplayUtility.exe deleted 4/13/2005 2:01:22 AM
C:\Program Files\InterMute\SpySubtract\Backup\Clean Session - 1092633457.ssb\C:\Program Files\Internet Optimizer\optimize.exe is infected with a virus Trojan-Downloader.Win32.Dyfuca.cw 4/13/2005 2:05:58 AM
C:\Program Files\InterMute\SpySubtract\Backup\Clean Session - 1092633457.ssb moved to the backup storage 4/13/2005 2:05:58 AM
C:\Program Files\InterMute\SpySubtract\Backup\Clean Session - 1092633457.ssb\C:\Program Files\Internet Optimizer\optimize.exe deleted 4/13/2005 2:05:58 AM
C:\Program Files\InterMute\SpySubtract\Backup\Clean Session - 1092633821.ssb\C:\Program Files\Bargain Buddy\bin\apuc.dll is infected with a virus not-a-virus:AdWare.BargainBuddy.a 4/13/2005 2:05:59 AM
C:\Program Files\InterMute\SpySubtract\Backup\Clean Session - 1092633821.ssb moved to the backup storage 4/13/2005 2:05:59 AM
C:\Program Files\InterMute\SpySubtract\Backup\Clean Session - 1092633821.ssb\C:\Program Files\Bargain Buddy\bin\apuc.dll deleted 4/13/2005 2:05:59 AM
C:\Program Files\InterMute\SpySubtract\Backup\Clean Session - 1092633821.ssb\C:\WINDOWS\preInsTT.exe is infected with a virus not-a-virus:AdWare.BiSpy.f 4/13/2005 2:05:59 AM
C:\Program Files\InterMute\SpySubtract\Backup\Clean Session - 1092633821.ssb\C:\WINDOWS\preInsTT.exe deleted 4/13/2005 2:05:59 AM
C:\Program Files\InterMute\SpySubtract\Backup\Clean Session - 1093220841.ssb\C:\WINDOWS\bxxs5.dll is infected with a virus not-a-virus:AdWare.BookedSpace.c 4/13/2005 2:06:01 AM
C:\Program Files\InterMute\SpySubtract\Backup\Clean Session - 1093220841.ssb moved to the backup storage 4/13/2005 2:06:01 AM
C:\Program Files\InterMute\SpySubtract\Backup\Clean Session - 1093220841.ssb\C:\WINDOWS\bxxs5.dll deleted 4/13/2005 2:06:01 AM
C:\Program Files\InterMute\SpySubtract\Backup\Clean Session - 1093220864.ssb\C:\WINDOWS\bxxs5.dll is infected with a virus not-a-virus:AdWare.BookedSpace.c 4/13/2005 2:06:01 AM
C:\Program Files\InterMute\SpySubtract\Backup\Clean Session - 1093220864.ssb moved to the backup storage 4/13/2005 2:06:01 AM
C:\Program Files\InterMute\SpySubtract\Backup\Clean Session - 1093220864.ssb\C:\WINDOWS\bxxs5.dll deleted 4/13/2005 2:06:01 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\arrow1.bmp password protected, has not been processed 4/13/2005 2:08:42 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\arrow2.bmp password protected, has not been processed 4/13/2005 2:08:42 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bck1.bmp password protected, has not been processed 4/13/2005 2:08:42 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bck2.bmp password protected, has not been processed 4/13/2005 2:08:42 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt11.bmp password protected, has not been processed 4/13/2005 2:08:42 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt12.bmp password protected, has not been processed 4/13/2005 2:08:42 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt13.bmp password protected, has not been processed 4/13/2005 2:08:42 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt21.bmp password protected, has not been processed 4/13/2005 2:08:42 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt22.bmp password protected, has not been processed 4/13/2005 2:08:42 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt23.bmp password protected, has not been processed 4/13/2005 2:08:42 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt31.bmp password protected, has not been processed 4/13/2005 2:08:42 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt32.bmp password protected, has not been processed 4/13/2005 2:08:42 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt33.bmp password protected, has not been processed 4/13/2005 2:08:42 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt41.bmp password protected, has not been processed 4/13/2005 2:08:42 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt42.bmp password protected, has not been processed 4/13/2005 2:08:42 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt43.bmp password protected, has not been processed 4/13/2005 2:08:42 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt51.bmp password protected, has not been processed 4/13/2005 2:08:42 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt52.bmp password protected, has not been processed 4/13/2005 2:08:42 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt53.bmp password protected, has not been processed 4/13/2005 2:08:42 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt61.bmp password protected, has not been processed 4/13/2005 2:08:42 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\bt62.bmp password protected, has not been processed 4/13/2005 2:08:42 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\checkbox1.bmp password protected, has not been processed 4/13/2005 2:08:42 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\checkbox2.bmp password protected, has not been processed 4/13/2005 2:08:42 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\checkbox3.bmp password protected, has not been processed 4/13/2005 2:08:42 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\checkbox4.bmp password protected, has not been processed 4/13/2005 2:08:42 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\default.skn password protected, has not been processed 4/13/2005 2:08:42 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\defbtn1.bmp password protected, has not been processed 4/13/2005 2:08:42 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\defbtn2.bmp password protected, has not been processed 4/13/2005 2:08:42 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\defbtn3.bmp password protected, has not been processed 4/13/2005 2:08:42 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph1.bmp password protected, has not been processed 4/13/2005 2:08:42 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph2.bmp password protected, has not been processed 4/13/2005 2:08:42 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph3.bmp password protected, has not been processed 4/13/2005 2:08:42 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph4.bmp password protected, has not been processed 4/13/2005 2:08:42 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph5.bmp password protected, has not been processed 4/13/2005 2:08:42 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph6.bmp password protected, has not been processed 4/13/2005 2:08:42 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\glyph7.bmp password protected, has not been processed 4/13/2005 2:08:42 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\main.bmp password protected, has not been processed 4/13/2005 2:08:42 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\preview.bmp password protected, has not been processed 4/13/2005 2:08:42 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\sprite1.bmp password protected, has not been processed 4/13/2005 2:08:42 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\tab1.bmp password protected, has not been processed 4/13/2005 2:08:42 AM
C:\Program Files\Lavasoft\Ad-Aware SE Personal\Skins\Ad-Aware SE default.ask\tab2.bmp password protected, has not been processed 4/13/2005 2:08:42 AM
C:\Program Files\mIRC\mirc.exe is infected with a virus not-a-virus:RiskWare.mIRC.6.03 4/13/2005 2:14:42 AM
C:\Program Files\mIRC\mirc.exe moved to the backup storage 4/13/2005 2:14:42 AM
C:\Program Files\mIRC\mirc.exe deleted 4/13/2005 2:14:43 AM
C:\Program Files\Mozilla Firefox\extensions\{2bafa858-4ff3-4207-822e-ef46d1b431de}\chrome\isearch.jar\content/isearch/isearch.js is infected with a virus not-a-virus:AdWare.ToolBar.ISearch.e 4/13/2005 2:40:47 AM
C:\Program Files\Mozilla Firefox\extensions\{2bafa858-4ff3-4207-822e-ef46d1b431de}\chrome\isearch.jar moved to the backup storage 4/13/2005 2:40:49 AM
C:\Program Files\Mozilla Firefox\extensions\{2bafa858-4ff3-4207-822e-ef46d1b431de}\chrome\isearch.jar\content/isearch/isearch.js deleted 4/13/2005 2:40:49 AM
C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll is infected with a virus not-a-virus:AdWare.ToolBar.Ucmore.a 4/13/2005 2:45:20 AM
C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll moved to the backup storage 4/13/2005 2:45:20 AM
C:\Program Files\TheSearchAccelerator\UCMTSAIE.dll deleted 4/13/2005 2:45:21 AM
C:\Program Files\WildTangent\Apps\onplay.exe/data0002/data0060/data0020 is infected with a virus not-a-virus:AdWare.WildTangent.b 4/13/2005 2:45:25 AM
C:\Program Files\WildTangent\Apps\onplay.exe moved to the backup storage 4/13/2005 2:45:26 AM
C:\Program Files\WildTangent\Apps\onplay.exe/data0002 is infected with a virus not-a-virus:AdWare.WildTangent.b 4/13/2005 2:45:28 AM
C:\Program Files\WildTangent\Apps\onplay.exe is infected with a virus not-a-virus:AdWare.WildTangent.b 4/13/2005 2:45:28 AM
C:\Program Files\WildTangent\Apps\onplay.exe deleted 4/13/2005 2:45:28 AM
C:\RECYCLER\S-1-5-21-2447708230-278728217-1371407472-1003\Dc728.exe is infected with a virus Trojan-Downloader.Win32.Small.gl 4/13/2005 2:48:42 AM
C:\RECYCLER\S-1-5-21-2447708230-278728217-1371407472-1003\Dc728.exe moved to the backup storage 4/13/2005 2:48:42 AM
C:\RECYCLER\S-1-5-21-2447708230-278728217-1371407472-1003\Dc728.exe deleted 4/13/2005 2:48:42 AM
C:\WINDOWS\ceres.dll is infected with a virus not-a-virus:AdWare.BetterInternet 4/13/2005 3:02:27 AM
C:\WINDOWS\ceres.dll moved to the backup storage 4/13/2005 3:02:30 AM
C:\WINDOWS\ceres.dll deleted 4/13/2005 3:02:30 AM
C:\WINDOWS\Helper101.dll is infected with a virus Trojan-Clicker.Win32.Delf.r 4/13/2005 3:02:32 AM
C:\WINDOWS\Helper101.dll moved to the backup storage 4/13/2005 3:02:33 AM
C:\WINDOWS\Helper101.dll deleted 4/13/2005 3:02:33 AM
C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll is infected with a virus not-a-virus:AdWare.ToolBar.EliteBar.z 4/13/2005 3:05:45 AM
C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll moved to the backup storage 4/13/2005 3:05:45 AM
C:\WINDOWS\EliteSideBar\EliteSideBar 08.dll deleted 4/13/2005 3:05:45 AM
C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll is infected with a virus not-a-virus:AdWare.ToolBar.EliteBar.af 4/13/2005 3:05:46 AM
C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll moved to the backup storage 4/13/2005 3:05:46 AM
C:\WINDOWS\EliteToolBar\EliteToolBar version 60.dll deleted 4/13/2005 3:05:46 AM
C:\WINDOWS\isrvs\mfiltis.dll is infected with a virus not-a-virus:AdWare.ToolBar.ISearch.d 4/13/2005 3:15:12 AM
C:\WINDOWS\isrvs\mfiltis.dll moved to the backup storage 4/13/2005 3:15:12 AM
C:\WINDOWS\isrvs\mfiltis.dll deleted 4/13/2005 3:15:12 AM
C:\WINDOWS\system32\akcore.dll is infected with a virus not-a-virus:AdWare.Coreak 4/13/2005 3:18:50 AM
C:\WINDOWS\system32\akcore.dll moved to the backup storage 4/13/2005 3:18:51 AM
C:\WINDOWS\system32\akcore.dll deleted 4/13/2005 3:18:51 AM
C:\WINDOWS\system32\aklsp.dll is infected with a virus Trojan-Downloader.Win32.Agent.br 4/13/2005 3:18:51 AM
C:\WINDOWS\system32\aklsp.dll moved to the backup storage 4/13/2005 3:18:51 AM
C:\WINDOWS\system32\aklsp.dll deleted 4/13/2005 3:18:51 AM
C:\WINDOWS\system32\akrules.dll is infected with a virus Trojan-Downloader.Win32.Agent.bt 4/13/2005 3:18:51 AM
C:\WINDOWS\system32\akrules.dll moved to the backup storage 4/13/2005 3:18:51 AM
C:\WINDOWS\system32\akrules.dll deleted 4/13/2005 3:18:51 AM
C:\WINDOWS\system32\akupd.dll is infected with a virus Trojan-Downloader.Win32.Agent.br 4/13/2005 3:18:52 AM
C:\WINDOWS\system32\akupd.dll moved to the backup storage 4/13/2005 3:18:52 AM
C:\WINDOWS\system32\akupd.dll deleted 4/13/2005 3:18:52 AM
C:\WINDOWS\system32\aruuo

#6
blinkchaser

Posted 13 April 2005 - 08:59 AM

Member

Topic Starter
Member
22 posts

Ok after deleting kaspersky I got my computer back into working condition. I think it wasn't having too much fun with 2 virus programs.

Heres my new hijack this log....

Logfile of HijackThis v1.99.1
Scan saved at 10:56:11 AM, on 4/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Symantec\SAV8\DefWatch.exe
C:\PROGRA~1\Symantec\SAV8\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\VTTimer.exe
C:\PROGRA~1\Symantec\SAV8\vptray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Owner\Application Data\wtta.exe
C:\WINDOWS\System32\n?tdde.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Documents and Settings\Owner\My Documents\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...lion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.absolutepunk.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
O3 - Toolbar: (no name) - {44BE0690-5429-47f0-85BB-3FFD8020233E} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Symantec\SAV8\vptray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [Parallel Tasking] C:\Program Files\Parallel Tasking\ptask.exe
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vzkkak.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [farmmext] C:\WINDOWS\farmmext.exe
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [offerscr.exe] "C:\WINDOWS\offerscr.exe" 1096240008 1098112886
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [4bklfyoo] C:\Program Files\4bklfyoo\4bklfyoo.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Notn] C:\Documents and Settings\Owner\Application Data\wtta.exe
O4 - HKCU\..\Run: [Easq] C:\WINDOWS\System32\n?tdde.exe
O4 - Startup: OpenOffice.org 1.1.3.lnk = C:\Program Files\OpenOffice.org1.1.3\program\quickstart.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: Installer - C:\WINDOWS\system32\l8j80i1ue8.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: OfficeUpdate - C:\WINDOWS\system32\hkzjsn01.dll (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\Symantec\SAV8\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - c:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\Symantec\SAV8\Rtvscan.exe

#7
blinkchaser

Posted 13 April 2005 - 09:03 AM

Member

Topic Starter
Member
22 posts

Well my computer just pulled the black screen [bleep] thing again. Except it waited a lot longer this time around. I'm not sure what's going on.

#8
Trevuren

Posted 13 April 2005 - 09:38 AM

Old Dog

Retired Staff
18,699 posts

Hi blinkchaser,

I told you how badly infected your system really was. I have never seen one this bad. You are in trouble and you may end up having to reformat your drive.

Try this now:

1) I would also like you to download and run a free trial version of an anti-trojan program called Trojan Hunter: Trojan Hunter . Let it scan your whole system and remove anything it finds.

Update definitions if you can and run it in safe mode if that is the only way possible. We have to try and get rid of as much junk as possible to reach the major infections.

Can you run Ad-Aware and Spybot from Safe Mode? Try

REBOOT your system.

Trevuren

#9
blinkchaser

Posted 13 April 2005 - 01:12 PM

Member

Topic Starter
Member
22 posts

Ok ran all 3 programs in Safe mode and they did their run throughs but adware keeps re-dling itself still sometimes. I know I've uninstalled VBouncer like 3 times with spybot and the trojan hunter won't let me remove one of the things its trying to get too.
This one won't get deleted it says cleaned but says can't rename some crap this isn't what it says after you try to clean it but this is the file:
Found trojan module rtvpperf.dll loaded into process explorer.exe (3012): Adware.VX2.110

Logfile of HijackThis v1.99.1
Scan saved at 3:03:49 PM, on 4/13/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Symantec\SAV8\DefWatch.exe
C:\PROGRA~1\Symantec\SAV8\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\VTTimer.exe
C:\PROGRA~1\Symantec\SAV8\vptray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\Program Files\AIM\aim.exe
C:\Documents and Settings\Owner\Application Data\wtta.exe
C:\WINDOWS\System32\n?tdde.exe
C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
C:\Program Files\Sony Corporation\Picture Package\Picture Package Applications\Residence.exe
C:\WINDOWS\explorer.exe
C:\Program Files\Spybot - Search & Destroy\SpybotSD.exe
C:\Program Files\iTunes\iTunes.exe
C:\Documents and Settings\Owner\My Documents\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...lion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.absolutepunk.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
O3 - Toolbar: (no name) - {44BE0690-5429-47f0-85BB-3FFD8020233E} - (no file)
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Symantec\SAV8\vptray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vzkkak.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [offerscr.exe] "C:\WINDOWS\offerscr.exe" 1096240008 1098112886
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [4bklfyoo] C:\Program Files\4bklfyoo\4bklfyoo.exe
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [tsvcin] C:\WINDOWS\system32\n20050308.EXE
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [Notn] C:\Documents and Settings\Owner\Application Data\wtta.exe
O4 - HKCU\..\Run: [Easq] C:\WINDOWS\System32\n?tdde.exe
O4 - Startup: OpenOffice.org 1.1.3.lnk = C:\Program Files\OpenOffice.org1.1.3\program\quickstart.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O20 - Winlogon Notify: OfficeUpdate - C:\WINDOWS\system32\hkzjsn01.dll (file missing)
O20 - Winlogon Notify: Reliability - C:\WINDOWS\system32\o6ro0g93e6.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\Symantec\SAV8\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - c:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\Symantec\SAV8\Rtvscan.exe

#10
Trevuren

Posted 13 April 2005 - 03:38 PM

Old Dog

Retired Staff
18,699 posts

Hi blinkchaser,

Time for us to do some house cleaning too.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Now let's do some work on your log:

First we need to make all files and folders VISIBLE:

Go to start>control panel>folder options>view (tab)
*choose to "show hidden files and folders,"
*uncheck the "hide protected operating system files" and the "hide extensions for know file types" boxes.
*Close the window with ok
*All hidden files will now be visible

Close all browser windows and RUN HijackThis.
. Click the SCAN button to produce a log.
. Click the Config button located in the lower right hand corner of the HijackThis window.
. When the new screen opens, find and click the Miscellaneous Tools button.
. Then choose the Open Process Manager button.
. From the list of processes, hilight the following items by clicking them, ONE AT A TIME, then DELETE them by clicking the KILL button:

C:\Documents and Settings\Owner\Application Data\wtta.exe
C:\WINDOWS\System32\n?tdde.exe

Once all items have been KILLED, click the Back button which will return you to the HijackThis main window. Now place a check mark beside each one of the following items:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://ie.redirect.h...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://ie.redirect.h...lion&pf=desktop
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://ie.redirect.h...lion&pf=desktop
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page_bak = http://www.absolutepunk.net/
R1 - HKCU\Software\Microsoft\Internet Connection Wizard,ShellNext = http://ie.redirect.h...lion&pf=desktop
R3 - URLSearchHook: (no name) - _{8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
O3 - Toolbar: (no name) - {44BE0690-5429-47f0-85BB-3FFD8020233E} - (no file)
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vzkkak.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [AUNPS2] RUNDLL32 AUNPS2.DLL,_Run@16
O4 - HKLM\..\Run: [cfgmgr51] RunDLL32.EXE C:\WINDOWS\cfgmgr51.dll,DllRun
O4 - HKLM\..\Run: [offerscr.exe] "C:\WINDOWS\offerscr.exe" 1096240008 1098112886
O4 - HKLM\..\Run: [Media Access] C:\Program Files\Media Access\MediaAccK.exe
O4 - HKLM\..\Run: [AlcxMonitor] ALCXMNTR.EXE
O4 - HKLM\..\Run: [4bklfyoo] C:\Program Files\4bklfyoo\4bklfyoo.exe
O4 - HKLM\..\Run: [VBouncer] C:\PROGRA~1\VBouncer\VirtualBouncer.exe
O4 - HKLM\..\Run: [tsvcin] C:\WINDOWS\system32\n20050308.EXE
O4 - HKCU\..\Run: [Notn] C:\Documents and Settings\Owner\Application Data\wtta.exe
O4 - HKCU\..\Run: [Easq] C:\WINDOWS\System32\n?tdde.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O20 - Winlogon Notify: OfficeUpdate - C:\WINDOWS\system32\hkzjsn01.dll (file missing)
O20 - Winlogon Notify: Reliability - C:\WINDOWS\system32\o6ro0g93e6.dll

Now with all the items selected, delete them by clicking the FIX checked button. Close the HijackThis window and Reboot Your System in Safe Mode

How to use the F8 method to Start Your Computer in Safe Mode

*Restart the computer.
*as soon as BIOS is loaded begin tapping the F8 key until the Advanced Options menu appears.
*Use the arrow keys to select the Safe mode menu item
*press Enter.

Using Windows Explorer, locate the following files/folders, and DELETE them (if they are present):

FILES

C:\Documents and Settings\Owner\Application Data\wtta.exe
C:\WINDOWS\System32\n?tdde.exe
C:\WINDOWS\System32\vzkkak.exe
C:\WINDOWS\cfgmgr51.dll
C:\WINDOWS\offerscr.exe
ALCXMNTR.EXE
C:\WINDOWS\system32\n20050308.EXE
C:\WINDOWS\system32\hkzjsn01.dll
C:\WINDOWS\system32\o6ro0g93e6.dll
AUNPS2.DLL

FOLDERS (with all their content)

C:\WINDOWS\System32\nsvsvc
C:\WINDOWS\System32\picsvr
C:\Program Files\Media Access
C:\PROGRAM Files\VBouncer
C:\Program Files\Ebates_MoeMoneyMaker
C:\Program Files\4bklfyoo

Exit Explorer, and REBOOT BACK INTO NORMAL MODE

Finally, RUN Hijackthis again and produce a new HJT log. Post it in the forum so we can check how everytjhing looks now.

Regards,

Trevuren

#11
blinkchaser

Posted 16 April 2005 - 02:23 PM

Member

Topic Starter
Member
22 posts

sorry i've been really busy with school but some [bleep] is still happening on my computer if you could still keep helping me i would appreciate it.

Logfile of HijackThis v1.99.1
Scan saved at 4:21:32 PM, on 4/16/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\VTTimer.exe
C:\PROGRA~1\Symantec\SAV8\vptray.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\AIM\aim.exe
C:\PROGRA~1\Symantec\SAV8\DefWatch.exe
C:\PROGRA~1\Symantec\SAV8\Rtvscan.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\explorer.exe
C:\Program Files\TrojanHunter 4.2\THGuard.exe
C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
c:\windows\system32\uiounx.exe
C:\Documents and Settings\Owner\My Documents\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Symantec\SAV8\vptray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [tsvcin] C:\WINDOWS\system32\n20050308.EXE
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [rdmahhf] c:\windows\system32\uiounx.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [eZmmod] C:\PROGRA~1\ezula\mmod.exe
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - HKCU\..\RunOnce: [Web Offer] C:\WINDOWS\system32\ezStub.exe
O4 - Startup: OpenOffice.org 1.1.3.lnk = C:\Program Files\OpenOffice.org1.1.3\program\quickstart.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - C:\WINDOWS\isrvs\mfiltis.dll
O20 - Winlogon Notify: H323TSP - C:\WINDOWS\system32\hr6205joe.dll
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: NavLogon - C:\WINDOWS\System32\NavLogon.dll
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\Symantec\SAV8\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - c:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Network DDE (NetDDE) - Unknown owner - C:\WINDOWS\system32\netdde.exe (file missing)
O23 - Service: Network DDE DSDM (NetDDEdsdm) - Unknown owner - C:\WINDOWS\system32\netdde.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\Symantec\SAV8\Rtvscan.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe

#12
Trevuren

Posted 16 April 2005 - 02:35 PM

Old Dog

Retired Staff
18,699 posts

Hi blinkchaser,

That bad infection is still there and a lot of its buddies.

Please print out or copy this page to Notepad. Make sure to work through the fixes in the exact order in which they are mentioned below. If there's anything that you don't understand, ask your question(s) before proceeding with the fixes.

Do the Following:

Run HijackThis. Click on "Config...", "Misc Tools", "Open process manager". Select the following files and click on "Kill process". Answer Yes to the "Are you sure..." question.
- desktop.exe
- edmond.exe
- ffisearch.exe
Launch Notepad, and copy/paste the box below into a new text file. Save it as fixme.reg and save it on your Desktop.

REGEDIT4

[-HKEY_CLASSES_ROOT\clsid\{5b4ab8e2-6dc5-477a-b637-bf3c1a2e5993}]

[-HKEY_CLASSES_ROOT\clsid\{950238fb-c706-4791-8674-4d429f85897e}]

[-HKEY_CLASSES_ROOT\mfiltis]

[-HKEY_LOCAL_MACHINE\software\microsoft\windows\currentversion\policies\ext\clsid\{5b4ab8e2-6dc5-477a-b637-bf3c1a2e5993}]

[-HKEY_LOCAL_MACHINE\system\currentcontrolset\enum\root\legacy_delprot]

[-HKEY_LOCAL_MACHINE\system\currentcontrolset\services\delprot]

[HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"desktop search"=-

[-HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run]
"ffis"=-
Locate fixme.reg on your Desktop and double-click on it.
You will receive a prompt similar to: "Do you wish to merge the information into the registry?".
Answer "Yes" and wait for a message to appear similar to "Merged Successfully".
Restart your computer.
Launch Notepad, and copy/paste the box below into a new text file. Save it as Unreg.bat and save it on your Desktop.

regsvr32 /u C:\Windows\isrvs\msfiltis.dll
regsvr32 /u C:\Windows\isrvs\msdbhk.dll
regsvr32 /u C:\Windows\isrvs\sysupd.dll

Locate Unreg.bat on your Desktop and double-click on it.
Delete the following files/folders (if present) in C:\Windows or C:\Windows\System32
- delprot.ini
- delprot.log
- desktop.exe
- isrvs (delete the entire folder)
Delete the following file: C:\Windows\System32\Drivers\Delprot.sys
Delete the following files/folder (if present) in C:\Documents and Settings\<your user name>\Desktop
- anal exploits.url
- big [bleep] school for 2.95.url
- evidence eraser.lnk
- popup blocker stops popups.lnk
- spyware avenger.lnk
- virus hunter security.lnk
- your platinum visa.lnk
Restart your computer and post a new log from HijackThis.

Regards,

Trevuren

#13
blinkchaser

Posted 17 April 2005 - 12:00 AM

Member

Topic Starter
Member
22 posts

Logfile of HijackThis v1.99.1
Scan saved at 1:55:28 AM, on 4/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.exe
C:\WINDOWS\system32\spoolsv.exe
C:\PROGRA~1\Symantec\SAV8\DefWatch.exe
C:\PROGRA~1\Symantec\SAV8\Rtvscan.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\VTTimer.exe
C:\PROGRA~1\Symantec\SAV8\vptray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
C:\WINDOWS\System32\vzkkak.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\OpenOffice.org1.1.3\program\soffice.exe
C:\Program Files\iPod\bin\iPodService.exe
c:\windows\system32\jphptsg.exe
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Documents and Settings\Owner\My Documents\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - {1C78AB3F-A857-482e-80C0-3A1E5238A565} - (no file)
F2 - REG:system.ini: Shell=Explorer.exe C:\WINDOWS\Nail.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
O4 - HKLM\..\Run: [hpsysdrv] c:\windows\system\hpsysdrv.exe
O4 - HKLM\..\Run: [HP Component Manager] "C:\Program Files\HP\hpcoretech\hpcmpmgr.exe"
O4 - HKLM\..\Run: [HPHUPD05] c:\Program Files\HP\{45B6180B-DCAB-4093-8EE8-6164457517F0}\hphupd05.exe
O4 - HKLM\..\Run: [HPHmon05] C:\WINDOWS\System32\hphmon05.exe
O4 - HKLM\..\Run: [Recguard] C:\WINDOWS\SMINST\RECGUARD.EXE
O4 - HKLM\..\Run: [VTTimer] VTTimer.exe
O4 - HKLM\..\Run: [AGRSMMSG] AGRSMMSG.exe
O4 - HKLM\..\Run: [vptray] C:\PROGRA~1\Symantec\SAV8\vptray.exe
O4 - HKLM\..\Run: [HPDJ Taskbar Utility] C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [PS2] C:\WINDOWS\system32\ps2.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [iTunesHelper] C:\Program Files\iTunes\iTunesHelper.exe
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [CloneCDTray] "C:\Program Files\SlySoft\CloneCD\CloneCDTray.exe" /s
O4 - HKLM\..\Run: [THGuard] "C:\Program Files\TrojanHunter 4.2\THGuard.exe"
O4 - HKLM\..\Run: [tsvcin] C:\WINDOWS\system32\n20050308.EXE
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [Desktop Search] C:\WINDOWS\isrvs\desktop.exe
O4 - HKLM\..\Run: [ffis] C:\WINDOWS\isrvs\ffisearch.exe
O4 - HKLM\..\Run: [Zone Labs Client] "C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe"
O4 - HKLM\..\Run: [KavSvc] C:\WINDOWS\System32\vzkkak.exe
O4 - HKLM\..\Run: [oevlcl] c:\windows\system32\jphptsg.exe
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - HKCU\..\Run: [eZWO] C:\PROGRA~1\Web Offer\wo.exe
O4 - Startup: OpenOffice.org 1.1.3.lnk = C:\Program Files\OpenOffice.org1.1.3\program\quickstart.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
O20 - Winlogon Notify: OfficeUpdate - C:\WINDOWS\system32\guard.tmp (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\Symantec\SAV8\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - c:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Network DDE (NetDDE) - Unknown owner - C:\WINDOWS\system32\netdde.exe (file missing)
O23 - Service: Network DDE DSDM (NetDDEdsdm) - Unknown owner - C:\WINDOWS\system32\netdde.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\Symantec\SAV8\Rtvscan.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe

#14
Trevuren

Posted 17 April 2005 - 12:25 AM

Old Dog

Retired Staff
18,699 posts

Hi blinkchaser,

1. Did you run into any problems understanding and executing the directions in the previous post? (If yes, please advise now)

2. If no, please re-run directions provided in pevious post

Regards,

Trevuren

#15
blinkchaser

Posted 26 April 2005 - 10:22 PM

Member

Topic Starter
Member
22 posts

Ive done everything you told me correctly. Although I still kepp getting this betterinternet and aurora thingy. They are blocked by my firewall but they're starting to get annoying spybot deletes it then they come back.

Logfile of HijackThis v1.99.1
Scan saved at 12:16:50 AM, on 4/27/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Java\j2re1.4.2_06\bin\jusched.exe
C:\windows\system\hpsysdrv.exe
C:\Program Files\HP\hpcoretech\hpcmpmgr.exe
C:\WINDOWS\System32\hphmon05.exe
C:\WINDOWS\System32\VTTimer.exe
C:\PROGRA~1\Symantec\SAV8\vptray.exe
C:\WINDOWS\System32\spool\drivers\w32x86\3\hpztsb08.exe
C:\WINDOWS\system32\ps2.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\PROGRA~1\Symantec\SAV8\DefWatch.exe
C:\PROGRA~1\Symantec\SAV8\Rtvscan.exe
C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Zone Labs\ZoneAlarm\zlclient.exe
C:\WINDOWS\System32\vzkkak.exe
C:\WINDOWS\system32\ZoneLabs\vsmon.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\iTunes\iTunes.exe
C:\WINDOWS\System32\WISPTIS.EXE
C:\WINDOWS\explorer.exe
C:\Program Files\Winamp\Plugins\CurrentlyHearing\ch_upload.exe
c:\windows\system32\wgwwtu.exe
C:\Program Files\mIRC\mirc.exe
C:\Program Files\AIM\aim.exe
C:\Program Files\Common Files\Real\Update_OB\realsched.exe
C:\Program Files\Real\RealOne Player\rphelperapp.exe
C:\Program Files\Mozilla Firefox\firefox.exe
C:\Documents and Settings\Owner\My Documents\HijackThis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = localhost
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O4 - HKLM\..\RunOnce: [AAW] "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" "+b1"
O4 - HKCU\..\Run: [BackupNotify] c:\Program Files\HP\Digital Imaging\bin\backupnotify.exe
O4 - HKCU\..\Run: [AIM] C:\Program Files\AIM\aim.exe -cnetwait.odl
O4 - Startup: OpenOffice.org 1.1.3.lnk = C:\Program Files\OpenOffice.org1.1.3\program\quickstart.exe
O4 - Global Startup: HP Digital Imaging Monitor.lnk = C:\Program Files\HP\Digital Imaging\bin\hpqtra08.exe
O4 - Global Startup: InterVideo WinCinema Manager.lnk = C:\Program Files\InterVideo\Common\Bin\WinCinemaMgr.exe
O4 - Global Startup: Picture Package Menu.lnk = ?
O4 - Global Startup: Picture Package VCD Maker.lnk = ?
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar1.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar1.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar1.dll/cmcache.html
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar1.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar1.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\WINDOWS\System32\msjava.dll (file missing)
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MI1933~1\OFFICE11\REFIEBAR.DLL
O9 - Extra button: AIM - {AC9E2541-2814-11d5-BC6D-00B0D0A1DE45} - C:\Program Files\AIM\aim.exe
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....738&clcid=0x409
O16 - DPF: {FA3662C3-B8E8-11D6-A667-0010B556D978} (IWinAmpActiveX Class) - http://cdn.digitalci...illama/ampx.cab
O18 - Filter: text/html - {950238FB-C706-4791-8674-4D429F85897E} - (no file)
O20 - Winlogon Notify: OfficeUpdate - C:\WINDOWS\system32\guard.tmp (file missing)
O23 - Service: Adobe LM Service - Unknown owner - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: DefWatch - Symantec Corporation - C:\PROGRA~1\Symantec\SAV8\DefWatch.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Macromedia Licensing Service - Unknown owner - C:\Program Files\Common Files\Macromedia Shared\Service\Macromedia Licensing.exe
O23 - Service: Norton AntiVirus Auto Protect Service (navapsvc) - Unknown owner - c:\Program Files\Norton AntiVirus\navapsvc.exe (file missing)
O23 - Service: Network DDE (NetDDE) - Unknown owner - C:\WINDOWS\system32\netdde.exe (file missing)
O23 - Service: Network DDE DSDM (NetDDEdsdm) - Unknown owner - C:\WINDOWS\system32\netdde.exe (file missing)
O23 - Service: Symantec AntiVirus Client (Norton AntiVirus Server) - Symantec Corporation - C:\PROGRA~1\Symantec\SAV8\Rtvscan.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - C:\WINDOWS\svcproc.exe
O23 - Service: TrueVector Internet Monitor (vsmon) - Zone Labs LLC - C:\WINDOWS\system32\ZoneLabs\vsmon.exe