Javascript Disabled Detected

You currently have javascript disabled. Several functions may not work. Please re-enable javascript to access full functionality.

trojan virus[RESOLVED]

Started by sexy~n~unique , Apr 17 2005 02:46 PM

This topic is locked

#1
sexy~n~unique

Posted 17 April 2005 - 02:46 PM

Member

Member
20 posts

im about to :tazz:

to the though of reformatting my computer, however i'm not giving up that easly. Yesterday i downloaded a program from xolsoft. It had the smitfield virus in it. I have been following one the of admin usetobe with the help to Thorton 21. I found the system 32 folder, but i can't find it again. I need any help available. I am having [bleep] sites popping up and desktop icons that i cant get rid of no matter how any times i delete them. i also have a red circle with a white X inside my tool tray. Help me please. I cant even leave my computer screen on anymore in front of my children.

this is my hijack this log:

; for 16-bit app support

[drivers]
wave=mmdrv.dll
timer=timer.drv

[mci]
[driver32]
vidc.xvid=C:\PROGRA~1\ACEMEG~1\SystemS\XviD\xvidvfw.dll
msacm.voxacm160=C:\PROGRA~1\ACEMEG~1\SystemS\VoxWare\vct3216.acm
vidc.vssv=C:\PROGRA~1\ACEMEG~1\SystemS\VANGUA~1\vsscodec.dll
vidc.y411=C:\PROGRA~1\ACEMEG~1\SystemS\Toshiba\tsbyuv.dll
vidc.t420=C:\PROGRA~1\ACEMEG~1\SystemS\Toshiba\tsbyuv.dll
vidc.s422=C:\PROGRA~1\ACEMEG~1\SystemS\Tekram\tekyuv.dll
vidc.dvcp=C:\PROGRA~1\ACEMEG~1\SystemS\SONY\sonydv.dll
vidc.sony=C:\PROGRA~1\ACEMEG~1\SystemS\SONY\sonydv.dll
msacm.at3=C:\PROGRA~1\ACEMEG~1\SystemS\SONY\atrac3.acm
vidc.rud0=C:\PROGRA~1\ACEMEG~1\SystemS\Rududu\rududu.dll
vidc.rmp4=C:\PROGRA~1\ACEMEG~1\SystemS\REALMA~1\rmp4.dll
msacm.qmpeg=C:\PROGRA~1\ACEMEG~1\SystemS\QDesign\qmpeg.acm
vidc.pim1=C:\PROGRA~1\ACEMEG~1\SystemS\Pinnacle\pclepim1.dll
vidc.gpjm=C:\PROGRA~1\ACEMEG~1\SystemS\Pinnacle\RTMJPG~1.DLL
vidc.mjpa=C:\PROGRA~1\ACEMEG~1\SystemS\Pinnacle\RTMJPG~1.DLL
vidc.dcap=C:\PROGRA~1\ACEMEG~1\SystemS\Pinnacle\MIRODV~1.DLL
vidc.miro=C:\PROGRA~1\ACEMEG~1\SystemS\Pinnacle\MIRODV~1.DLL
vidc.mjpx=C:\PROGRA~1\ACEMEG~1\SystemS\Pegasus\pvmjpg21.dll
vidc.pimj=C:\PROGRA~1\ACEMEG~1\SystemS\Pegasus\pvljpg20.dll
vidc.pvw2=C:\PROGRA~1\ACEMEG~1\SystemS\Pegasus\pvwv220.dll
vidc.ipdv=C:\PROGRA~1\ACEMEG~1\SystemS\PANASO~1\idvcodec.dll
vidc.pdvc=C:\PROGRA~1\ACEMEG~1\SystemS\PANASO~1\idvcodec.dll
vidc.vp61=C:\PROGRA~1\ACEMEG~1\SystemS\ON2TEC~1\vp6vfw.dll
vidc.vp60=C:\PROGRA~1\ACEMEG~1\SystemS\ON2TEC~1\vp6vfw.dll
vidc.vp31=C:\PROGRA~1\ACEMEG~1\SystemS\ON2TEC~1\vp31vfw.dll
vidc.vp30=C:\PROGRA~1\ACEMEG~1\SystemS\ON2TEC~1\vp31vfw.dll
msacm.vorbis=C:\PROGRA~1\ACEMEG~1\SystemS\OGG\vorbis.acm
vidc.nt00=C:\PROGRA~1\ACEMEG~1\SystemS\Newtek\ntcodec.dll
vidc.vixl=C:\PROGRA~1\ACEMEG~1\SystemS\Miro\miroxl32.dll
msacm.msaudio1=C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msaud32.acm
vidc.wmv3=C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\WMV9VCM.dll
vidc.mp4v=C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\mpg4c32.dll
vidc.mp4s=C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\mpg4c32.dll
vidc.mp43=C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\mpg4c32.dll
vidc.mp42=C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\mpg4c32.dll
vidc.mp41=C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\mpg4c32.dll
vidc.mpg4=C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\mpg4c32.dll
vidc.cram=C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msvidc32.dll
vidc.msvc=C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msvidc32.dll
vidc.yvyu=C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll
vidc.yuy2=C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll
vidc.uyvy=C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msyuv.dll
vidc.mrle=C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msrle32.dll
vidc.i420=C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msh263.drv
vidc.m263=C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msh263.drv
vidc.m261=C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msh261.drv
msacm.msgsm610=C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msgsm32.acm
msacm.msg723=C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msg723.acm
msacm.msg711=C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msg711.acm
msacm.imaadpcm=C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\imaadp32.acm
msacm.msadpcm=C:\PROGRA~1\ACEMEG~1\SystemS\MICROS~1\msadp32.acm
vidc.mmes=C:\PROGRA~1\ACEMEG~1\SystemS\Matrox\DigiVCap.dll
vidc.mtx9=C:\PROGRA~1\ACEMEG~1\SystemS\Matrox\DigiVCap.dll
vidc.mtx8=C:\PROGRA~1\ACEMEG~1\SystemS\Matrox\DigiVCap.dll
vidc.mtx7=C:\PROGRA~1\ACEMEG~1\SystemS\Matrox\DigiVCap.dll
vidc.mtx6=C:\PROGRA~1\ACEMEG~1\SystemS\Matrox\DigiVCap.dll
vidc.mtx5=C:\PROGRA~1\ACEMEG~1\SystemS\Matrox\DigiVCap.dll
vidc.mtx4=C:\PROGRA~1\ACEMEG~1\SystemS\Matrox\DigiVCap.dll
vidc.mtx3=C:\PROGRA~1\ACEMEG~1\SystemS\Matrox\DigiVCap.dll
vidc.mtx2=C:\PROGRA~1\ACEMEG~1\SystemS\Matrox\DigiVCap.dll
vidc.mtx1=C:\PROGRA~1\ACEMEG~1\SystemS\Matrox\DigiVCap.dll
vidc.mmjp=C:\PROGRA~1\ACEMEG~1\SystemS\Matrox\DigiVCap.dll
vidc.msmc=C:\PROGRA~1\ACEMEG~1\SystemS\Matrox\DigiVCap.dll
vidc.dv50=C:\PROGRA~1\ACEMEG~1\SystemS\Matrox\DigiVCap.dll
vidc.dv25=C:\PROGRA~1\ACEMEG~1\SystemS\Matrox\DigiVCap.dll
vidc.avi2=C:\PROGRA~1\ACEMEG~1\SystemS\MAINCO~1\MCMJPG32.DLL
vidc.avi1=C:\PROGRA~1\ACEMEG~1\SystemS\MAINCO~1\MCMJPG32.DLL
vidc.dcmj=C:\PROGRA~1\ACEMEG~1\SystemS\MAINCO~1\MCMJPG32.DLL
vidc.dvcs=C:\PROGRA~1\ACEMEG~1\SystemS\MAINCO~1\MCDVD_32.DLL
vidc.dvc=C:\PROGRA~1\ACEMEG~1\SystemS\MAINCO~1\MCDVD_32.DLL
vidc.dvsd=C:\PROGRA~1\ACEMEG~1\SystemS\MAINCO~1\MCDVD_32.DLL
vidc.lead=C:\PROGRA~1\ACEMEG~1\SystemS\LEAD\LCODCCMP.DLL
msacm.imc=C:\PROGRA~1\ACEMEG~1\SystemS\Intel\IMC32.ACM
vidc.rt21=C:\PROGRA~1\ACEMEG~1\SystemS\Intel\IR21_R.DLL
vidc.ir21=C:\PROGRA~1\ACEMEG~1\SystemS\Intel\IR21_R.DLL
vidc.yvu9=C:\PROGRA~1\ACEMEG~1\SystemS\Intel\Iyvu9_32.dll
vidc.iyuv=C:\PROGRA~1\ACEMEG~1\SystemS\Intel\iyuv_32.dll
vidc.iv50=C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir50_32.dll
vidc.iv49=C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir41_32.dll
vidc.iv48=C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir41_32.dll
vidc.iv47=C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir41_32.dll
vidc.iv46=C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir41_32.dll
vidc.iv45=C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir41_32.dll
vidc.iv44=C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir41_32.dll
vidc.iv43=C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir41_32.dll
vidc.iv42=C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir41_32.dll
vidc.iv41=C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir41_32.dll
vidc.iv40=C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir41_32.dll
vidc.iv39=C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir32_32.dll
vidc.iv38=C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir32_32.dll
vidc.iv37=C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir32_32.dll
vidc.iv36=C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir32_32.dll
vidc.iv35=C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir32_32.dll
vidc.iv34=C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir32_32.dll
vidc.iv33=C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir32_32.dll
vidc.iv32=C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir32_32.dll
vidc.iv31=C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir32_32.dll
vidc.iv30=C:\PROGRA~1\ACEMEG~1\SystemS\Intel\ir32_32.dll
vidc.i263=C:\PROGRA~1\ACEMEG~1\SystemS\Intel\i263_32.drv
vidc.gpeg=C:\PROGRA~1\ACEMEG~1\SystemS\Gabest\GPEG.dll
vidc.glzw=C:\PROGRA~1\ACEMEG~1\SystemS\Gabest\GLZW.dll
vidc.frwu=C:\PROGRA~1\ACEMEG~1\SystemS\Forward\frwu.dll
vidc.frwa=C:\PROGRA~1\ACEMEG~1\SystemS\Forward\frwt.dll
vidc.frwt=C:\PROGRA~1\ACEMEG~1\SystemS\Forward\frwd.dll
vidc.frwd=C:\PROGRA~1\ACEMEG~1\SystemS\Forward\frwd.dll
msacm.divxa32=C:\PROGRA~1\ACEMEG~1\SystemS\DivX\divxa32.acm
vidc.divx=C:\PROGRA~1\ACEMEG~1\SystemS\DivX\DivX520.dll
vidc.dvx4=C:\PROGRA~1\ACEMEG~1\SystemS\DivX\divx4.dll
vidc.ap41=C:\PROGRA~1\ACEMEG~1\SystemS\DivX\DivXc32f.dll
vidc.div6=C:\PROGRA~1\ACEMEG~1\SystemS\DivX\DivXc32f.dll
vidc.div4=C:\PROGRA~1\ACEMEG~1\SystemS\DivX\DivXc32f.dll
vidc.mpg3=C:\PROGRA~1\ACEMEG~1\SystemS\DivX\DivXc32.dll
vidc.div5=C:\PROGRA~1\ACEMEG~1\SystemS\DivX\DivXc32.dll
vidc.div3=C:\PROGRA~1\ACEMEG~1\SystemS\DivX\DivXc32.dll
vidc.davc=C:\PROGRA~1\ACEMEG~1\SystemS\dicas\davcvfw.dll
msacm.CoreFLAC_ACM=C:\PROGRA~1\ACEMEG~1\SystemS\Core\COREFL~1.ACM
vidc.png1=C:\PROGRA~1\ACEMEG~1\SystemS\Core\COREPN~1.DLL
vidc.ddvc=C:\PROGRA~1\ACEMEG~1\SystemS\Canopus\CSCdvsd.DLL
vidc.cdvc=C:\PROGRA~1\ACEMEG~1\SystemS\Canopus\CSCCDVC.DLL
msacm.pcdv=C:\PROGRA~1\ACEMEG~1\SystemS\Canopus\pcdv.acm
vidc.y41p=C:\PROGRA~1\ACEMEG~1\SystemS\BROOKT~1\btvvc32.drv
vidc.bt20=C:\PROGRA~1\ACEMEG~1\SystemS\BROOKT~1\btvvc32.drv
vidc.mwv1=C:\PROGRA~1\ACEMEG~1\SystemS\Aware\icmw_32.dll
vidc.yv12=C:\PROGRA~1\ACEMEG~1\SystemS\ATI\atiyuv12.DLL
vidc.vcr2=C:\PROGRA~1\ACEMEG~1\SystemS\ATI\ativcr2.dll
vidc.vcr1=C:\PROGRA~1\ACEMEG~1\SystemS\ATI\ativcr1.dll
vidc.asvx=C:\PROGRA~1\ACEMEG~1\SystemS\ASUS\asusasv2.dll
vidc.asv2=C:\PROGRA~1\ACEMEG~1\SystemS\ASUS\asusasv2.dll
vidc.asv1=C:\PROGRA~1\ACEMEG~1\SystemS\ASUS\asusasv1.dll
vidc.aas4=C:\PROGRA~1\ACEMEG~1\SystemS\Autodesk\Aasc32.dll
vidc.aasc=C:\PROGRA~1\ACEMEG~1\SystemS\Autodesk\Aasc32.dll
vidc.afli=C:\PROGRA~1\ACEMEG~1\SystemS\Autodesk\FLCCOD~1.DLL
vidc.aflc=C:\PROGRA~1\ACEMEG~1\SystemS\Autodesk\FLCCOD~1.DLL
vidc.advs=C:\PROGRA~1\ACEMEG~1\SystemS\Adaptec\Dvc.dll
vidc.wnv1=C:\PROGRA~1\ACEMEG~1\SystemS\wnvplay1.dll
vidc.wrpr=C:\PROGRA~1\ACEMEG~1\SystemS\aviwrap.dll
vidc.vifp=C:\PROGRA~1\ACEMEG~1\SystemS\vfcodec.dll
vidc.tscc=C:\PROGRA~1\ACEMEG~1\SystemS\tsccvid.dll
msacm.sl_anet=C:\PROGRA~1\ACEMEG~1\SystemS\sl_anet.acm
vidc.q1.0=C:\PROGRA~1\ACEMEG~1\SystemS\Qpeg32.dll
vidc.qpeg=C:\PROGRA~1\ACEMEG~1\SystemS\Qpeg32.dll
vidc.gepj=C:\PROGRA~1\ACEMEG~1\SystemS\pmjpeg32.dll
vidc.dmb2=C:\PROGRA~1\ACEMEG~1\SystemS\pmjpeg32.dll
vidc.sjpg=C:\PROGRA~1\ACEMEG~1\SystemS\pmjpeg32.dll
msacm.l3acm=C:\PROGRA~1\ACEMEG~1\SystemS\l3codecp.acm
msacm.lhacm=C:\PROGRA~1\ACEMEG~1\SystemS\lhacm.acm
msacm.lameacm=C:\PROGRA~1\ACEMEG~1\SystemS\lameacm.acm
vidc.hfyu=C:\PROGRA~1\ACEMEG~1\SystemS\huffyuv.dll
vidc.mkvc=C:\PROGRA~1\ACEMEG~1\SystemS\kmvidc32.dll
vidc.em2v=C:\PROGRA~1\ACEMEG~1\SystemS\etxcodec.dll
msacm.trspch=C:\PROGRA~1\ACEMEG~1\SystemS\tssoft32.acm
vidc.cvid=C:\PROGRA~1\ACEMEG~1\SystemS\iccvid.dll
vidc.cscd=C:\PROGRA~1\ACEMEG~1\SystemS\camcodec.dll
vidc.zlib=C:\PROGRA~1\ACEMEG~1\SystemS\avizlib.dll
vidc.mszh=C:\PROGRA~1\ACEMEG~1\SystemS\avimszh.dll
vidc.advj=C:\PROGRA~1\ACEMEG~1\SystemS\AVIDAV~1.DLL
vidc.avrn=C:\PROGRA~1\ACEMEG~1\SystemS\AVIDAV~1.DLL
vidc.3ivx=3ivxVfWCodec.dll
msacm.wrpr=aviwrap.dll
vidc.dps0=DpsAviCC.dll
MSVideo=DPSVidCap.drv
msacm.iac2=iac25_32.ax
vidc.mjpg=m3jpeg32.dll
vidc.dmb1=m3jpeg32.dll
vidc.mj2c=M3JP2K32.dll
vidc.tvmj=MMTVMJ.dll
vidc.fljp=MMTVMJ.dll
vidc.qpeg=Qpeg32.dll
[386enh]
woafont=dosapp.FON
EGA80WOA.FON=EGA80WOA.FON
EGA40WOA.FON=EGA40WOA.FON
CGA80WOA.FON=CGA80WOA.FON
CGA40WOA.FON=CGA40WOA.FON

thank you for your time
sexy~n~unique

#2
sexy~n~unique

Posted 17 April 2005 - 03:11 PM

Member

Topic Starter
Member
20 posts

correction to the former post. The program that gave me the smitfield virus was Xoftspy. I didnt have the virus until I downloaded this program. I'm also getting an error 317.

it says that Winsock.cfg is getting information from my computer. Their ip address is

83.116.72.11. also a winSterHJK v.2011

states that info is leaking from my ports 8080 and 3128

Also kernel 32 in my folder had all kinds of pornographic things in it...i got all of them deleted except one. And it wont go.

Any help is appreciated.

Edited by sexy~n~unique, 17 April 2005 - 03:13 PM.

#3
don77

Posted 17 April 2005 - 04:03 PM

Malware Expert

Retired Staff
18,526 posts

Hi sexy~n~unique and welcome
Please run through the steps outlined in this Topic
Post back a fresh log when done please

#4
sexy~n~unique

Posted 17 April 2005 - 05:19 PM

Member

Topic Starter
Member
20 posts

Logfile of HijackThis v1.99.1
Scan saved at 7:12:00 PM, on 4/17/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXPPS.EXE
c:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\PROGRA~1\Toolbar\TBPS.exe
C:\PROGRA~1\Toolbar\PIB.exe
c:\PROGRA~1\Toolbar\radio.exe
C:\WINDOWS\System32\crsrs.exe
C:\WINDOWS\System32\dllmanager.exe
C:\WINDOWS\System32\msdev.exe
C:\WINDOWS\System32\ouvkidf\lfmyhdq.exe
C:\WINDOWS\System32\tvenkqqv\mwdfgfbm.exe
C:\WINDOWS\System32\g66eduaq.exe
C:\PROGRA~1\MYWEBS~1\bar\4.bin\mwsoemon.exe
C:\WINDOWS\sixtypopsix.exe
C:\windows\system32\eetjanxq.exe
C:\WINDOWS\mm15201518.Stub.exe
C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
C:\WINDOWS\System32\picsvr\picsvr.exe
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system\sudcvpirpp.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\program files\internet explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\COMMON~1\rkwu\rkwum.exe
C:\windows\A4 DVD Shrinker.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\windows\ACE Mega CoDecS Pack.exe
C:\Program Files\mozilla.org\Mozilla\Mozilla.exe
C:\Program Files\Spyware Doctor\swdoctor.exe
C:\windows\system32\packager.exe
C:\PROGRA~1\COMMON~1\rkwu\rkwua.exe
C:\WINDOWS\System32\wuauclt.exe
C:\PROGRA~1\COMMON~1\rkwu\rkwul.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/ad0278/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://us8.hpwis.com/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\3.bin\MWSSRCAS.DLL
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\3.bin\MWSSRCAS.DLL
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\4.bin\MWSBAR.DLL
O2 - BHO: iuctg - {23EF5EB9-71F5-47D3-AD20-0562E35CC780} - C:\WINDOWS\System32\iuctg.dll
O2 - BHO: PCTools Site Guard - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - C:\PROGRA~1\SPYWAR~1\tools\iesdsg.dll
O2 - BHO: PCTools Browser Monitor - {B56A7D7D-6927-48C8-A975-17DF180C71AC} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O4 - HKLM\..\Run: [restrictanonymous]
O4 - HKLM\..\Run: [lfmyhdq] C:\WINDOWS\System32\ouvkidf\lfmyhdq.exe
O4 - HKLM\..\Run: [mwdfgfbm] C:\WINDOWS\System32\tvenkqqv\mwdfgfbm.exe
O4 - HKLM\..\Run: [Sysnet] C:\Documents and Settings\Owner\snuninst.exe
O4 - HKLM\..\Run: [Auto updat] crsrs.exe
O4 - HKLM\..\Run: [dlite] dllmanager.exe
O4 - HKLM\..\Run: [msdev] msdev.exe
O4 - HKLM\..\Run: [g66eduaq] C:\WINDOWS\System32\g66eduaq.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\4.bin\mwsoemon.exe
O4 - HKLM\..\Run: [sixtysix] C:\WINDOWS\sixtypopsix.exe
O4 - HKLM\..\Run: [eetjanxq] c:\windows\system32\eetjanxq.exe
O4 - HKLM\..\Run: [motoin] C:\WINDOWS\mm15201518.Stub.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\RunServices: [EnableDCOM] N
O4 - HKLM\..\RunServices: [A4 DVD Shrinker] C:\windows\A4 DVD Shrinker.exe
O4 - HKLM\..\RunServices: [Auto updat] crsrs.exe
O4 - HKLM\..\RunServices: [dlite] dllmanager.exe
O4 - HKLM\..\RunServices: [msdev] msdev.exe
O4 - HKLM\..\RunServices: [ACE Mega CoDecS Pack] C:\windows\ACE Mega CoDecS Pack.exe
O4 - HKLM\..\RunOnce: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe /boot
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [nternet Explorer] iexplore.exe
O4 - HKCU\..\Run: [Auto updat] crsrs.exe
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\Pavilion\XPHNABS3EN\plugin\bin\pchbutton.exe
O4 - HKCU\..\Run: [msdev] msdev.exe
O4 - HKCU\..\Run: [dlite] dllmanager.exe
O4 - HKCU\..\Run: [rkwu] C:\PROGRA~1\COMMON~1\rkwu\rkwum.exe
O4 - HKCU\..\Run: [A4 DVD Shrinker] C:\windows\A4 DVD Shrinker.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ACE Mega CoDecS Pack] C:\windows\ACE Mega CoDecS Pack.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\4.bin\mwsoemon.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - HKCU\..\Run: [Spyware Doctor] "C:\Program Files\Spyware Doctor\swdoctor.exe" /Q
O4 - HKCU\..\RunOnce: [Auto updat] crsrs.exe
O4 - HKCU\..\RunOnce: [msdev] msdev.exe
O4 - HKCU\..\RunOnce: [dlite] dllmanager.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\4.bin\MWSOEMON.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\4.bin\MWSOEMON.EXE
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Spyware Doctor - {2D663D1A-8670-49D9-A1A5-4C56B4E14E84} - C:\PROGRA~1\SPYWAR~1\tools\iesdpb.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {54824939-7E50-4099-BCCD-5172BBC04C67} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {54824939-7E50-4099-BCCD-5172BBC04C67} - (no file) (HKCU)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

thank you

im sorry i keep saying smitfield.....its smitfraud....ive been working on this steadlly for the past 2 days to no avail............

Edited by sexy~n~unique, 17 April 2005 - 05:27 PM.

#5
don77

Posted 17 April 2005 - 07:17 PM

Malware Expert

Retired Staff
18,526 posts

Hi sexy~n~unique I m reviewing your log right now,
Boy o boy!!!! Did you run the online scans ? You have multiple trojans and worms running,

I will post back shortly With the first set of instructions, You will have to be patient this will take a couple run throughs,

Don

#6
don77

Posted 17 April 2005 - 08:01 PM

Malware Expert

Retired Staff
18,526 posts

OK, Please print out these instructions, You will find it easier to follow along,,

Go to Start > Control Panel > Add or Remove Programs and remove the following programs, if found:

Security IGuard
Virtual Maid
Search Maid
Toolbar
MyWebSearch

Exit Add/Remove Programs.
Next,
Please disable Spyware Doctor, It may prevent us from making some of these fix's

Next,

Please open HJT> Click on the Config button> Click >Misc. Tools > Click > Open Process manager> Highlight “
crsrs.exe
dllmanager.exe
msdev.exe
TBPS.exe
“ >Click> Kill process
Click the Back button,

Next click the scan button and put a check mark next to the following, close all open windows , Click “ Fix Checked”

(Double check all the following entries to be sure you get them all )

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/ad0278/
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://srch-us8.hpwis.com/
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = websearch.drsnsrch.com/q.cgi?q=
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Local Page = C:\WINDOWS\about.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Toolbar,LinksFolderName =
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
R3 - URLSearchHook: (no name) - {00A6FAF6-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\3.bin\MWSSRCAS.DLL
R3 - URLSearchHook: (no name) - _{CFBFAE00-17A6-11D0-99CB-00C04FD64497} - (no file)
R3 - URLSearchHook: (no name) - _{00A6FAF6-072E-44cf-8957-5838F569A31D} - (no file)
O2 - BHO: MyWebSearch Search Assistant BHO - {00A6FAF1-072E-44cf-8957-5838F569A31D} - C:\Program Files\MyWebSearch\SrchAstt\3.bin\MWSSRCAS.DLL
O2 - BHO: mwsBar BHO - {07B18EA1-A523-4961-B6BB-170DE4475CCA} - C:\Program Files\MyWebSearch\bar\4.bin\MWSBAR.DLL
O2 - BHO: iuctg - {23EF5EB9-71F5-47D3-AD20-0562E35CC780} - C:\WINDOWS\System32\iuctg.dll
O4 - HKLM\..\Run: [restrictanonymous]
O4 - HKLM\..\Run: [lfmyhdq] C:\WINDOWS\System32\ouvkidf\lfmyhdq.exe
O4 - HKLM\..\Run: [mwdfgfbm] C:\WINDOWS\System32\tvenkqqv\mwdfgfbm.exe
O4 - HKLM\..\Run: [Auto updat] crsrs.exe
O4 - HKLM\..\Run: [dlite] dllmanager.exe
O4 - HKLM\..\Run: [msdev] msdev.exe
O4 - HKLM\..\Run: [g66eduaq] C:\WINDOWS\System32\g66eduaq.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\4.bin\mwsoemon.exe
O4 - HKLM\..\Run: [sixtysix] C:\WINDOWS\sixtypopsix.exe
O4 - HKLM\..\Run: [eetjanxq] c:\windows\system32\eetjanxq.exe
O4 - HKLM\..\Run: [motoin] C:\WINDOWS\mm15201518.Stub.exe
O4 - HKLM\..\Run: [Nsv] C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
O4 - HKLM\..\Run: [picsvr] C:\WINDOWS\System32\picsvr\picsvr.exe
O4 - HKLM\..\Run: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe
O4 - HKLM\..\RunServices: [EnableDCOM] N
O4 - HKLM\..\RunServices: [A4 DVD Shrinker] C:\windows\A4 DVD Shrinker.exe
O4 - HKLM\..\RunServices: [Auto updat] crsrs.exe
O4 - HKLM\..\RunServices: [dlite] dllmanager.exe
O4 - HKLM\..\RunServices: [msdev] msdev.exe
O4 - HKLM\..\RunOnce: [TBPS] C:\PROGRA~1\Toolbar\TBPS.exe /boot
O4 - HKCU\..\Run: [nternet Explorer] iexplore.exe
O4 - HKCU\..\Run: [Auto updat] crsrs.exe
O4 - HKCU\..\Run: [msdev] msdev.exe
O4 - HKCU\..\Run: [dlite] dllmanager.exe
O4 - HKCU\..\Run: [rkwu] C:\PROGRA~1\COMMON~1\rkwu\rkwum.exe
O4 - HKCU\..\Run: [A4 DVD Shrinker] C:\windows\A4 DVD Shrinker.exe
O4 - HKCU\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MYWEBS~1\bar\4.bin\mwsoemon.exe
O4 - HKCU\..\RunOnce: [Auto updat] crsrs.exe
O4 - HKCU\..\RunOnce: [msdev] msdev.exe
O4 - HKCU\..\RunOnce: [dlite] dllmanager.exe
O4 - Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\4.bin\MWSOEMON.EXE
O4 - Global Startup: MyWebSearch Email Plugin.lnk = C:\Program Files\MyWebSearch\bar\4.bin\MWSOEMON.EXE
O9 - Extra button: Microsoft AntiSpyware helper - {54824939-7E50-4099-BCCD-5172BBC04C67} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {54824939-7E50-4099-BCCD-5172BBC04C67} - (no file) (HKCU)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: WeatherBug - {AF6CABAB-61F9-4f12-A198-B7D41EF1CB52} - C:\Program Files\AWS\WeatherBug\Weather.exe (file missing) (HKCU)
O15 - Trusted Zone: *.media-motor.net
O15 - Trusted Zone: *.popuppers.com

Reboot to safe mode ( by tapping the F8 key on start up ) make sure you can view all hidden folders/files View Hidden Folders search for and delete the following in BOLD

C:\PROGRA~1\Toolbar\TBPS.exe <--Delete Folder
C:\PROGRA~1\Toolbar\PIB.exe <--Delete Folder
c:\PROGRA~1\Toolbar\radio.exe <--Delete Folder
C:\WINDOWS\System32\crsrs.exe
C:\WINDOWS\System32\dllmanager.exe
C:\WINDOWS\System32\msdev.exe
C:\WINDOWS\System32\ouvkidf\lfmyhdq.exe
C:\WINDOWS\System32\tvenkqqv\mwdfgfbm.exe
C:\WINDOWS\System32\g66eduaq.exe
C:\PROGRA~1\MYWEBS~1\bar\4.bin\mwsoemon.exe <--Delete Folder
C:\WINDOWS\sixtypopsix.exe
C:\windows\system32\eetjanxq.exe
C:\WINDOWS\mm15201518.Stub.exe
C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
C:\WINDOWS\System32\picsvr\picsvr.exe
C:\WINDOWS\system\sudcvpirpp.exe
C:\PROGRA~1\COMMON~1\rkwu\rkwum.exe <--Delete Folder
C:\windows\A4 DVD Shrinker.exe
C:\PROGRA~1\COMMON~1\rkwu\rkwua.exe <--Delete Folder
C:\PROGRA~1\COMMON~1\rkwu\rkwul.exe<--Delete Folder
C:\WINDOWS\sixtypopsix.exe
c:\windows\system32\eetjanxq.exe
C:\WINDOWS\mm15201518.Stub.exe
C:\WINDOWS\System32\systr.dll
C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm <--Delete Folder
C:\Program Files\AWS\WeatherBug\Weather.exe<--Delete Folder
C:\wp.exe
C:\wp.bmp
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\WINDOWS\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\System32\ole32vbs.exe
C:\Windows\system32\msole32.exe

Delete the following foders as well
C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files <-WILL be there!
C:\Program Files\Security IGuard

Restart your computer,

*Download and install Registrar Lite version 2.00
*Double click the purple Registrar Lite icon on your desktop.
*Copy the line below and paste it into the "Address" field (located at the top) of the program:

HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Policies

*Click the "Go" button.
*It will take you into the "Policies" folder.
*Locate the "System" folder (in the right panel)
*If found, right-click on the System folder and go to Delete
*Be very careful that you only delete the System folder that is inside the Policies folder.

Reboot your computer again.

1.) Download the Hoster from HERE Press "Restore Original Hosts" and press "OK". Exit Program.

2.) Download: http://www.mvps.org/.../DelDomains.inf
To use: right-click and select: Install (no need to restart)
Note: This will remove all entries in the "Trusted Zone" and "Ranges" also.

3.) Download, install, and run CleanUp!

4.) Run this online virus scan: ActiveScan - Save the results from the scan!

Post a new HiJackThis log.

#7
sexy~n~unique

Posted 18 April 2005 - 04:41 PM

Member

Topic Starter
Member
20 posts

Please forgive me, my mind is a little tired from work today. I cant find the files listed below. Where do I look and how do I get there?

Reboot to safe mode ( by tapping the F8 key on start up ) make sure you can view all hidden folders/files View Hidden Folders search for and delete the following in BOLD

C:\PROGRA~1\Toolbar\TBPS.exe <--Delete Folder
C:\PROGRA~1\Toolbar\PIB.exe <--Delete Folder
c:\PROGRA~1\Toolbar\radio.exe <--Delete Folder
C:\WINDOWS\System32\crsrs.exe
C:\WINDOWS\System32\dllmanager.exe
C:\WINDOWS\System32\msdev.exe
C:\WINDOWS\System32\ouvkidf\lfmyhdq.exe
C:\WINDOWS\System32\tvenkqqv\mwdfgfbm.exe
C:\WINDOWS\System32\g66eduaq.exe
C:\PROGRA~1\MYWEBS~1\bar\4.bin\mwsoemon.exe <--Delete Folder
C:\WINDOWS\sixtypopsix.exe
C:\windows\system32\eetjanxq.exe
C:\WINDOWS\mm15201518.Stub.exe
C:\WINDOWS\System32\nsvsvc\nsvsvc.exe
C:\WINDOWS\System32\picsvr\picsvr.exe
C:\WINDOWS\system\sudcvpirpp.exe
C:\PROGRA~1\COMMON~1\rkwu\rkwum.exe <--Delete Folder
C:\windows\A4 DVD Shrinker.exe
C:\PROGRA~1\COMMON~1\rkwu\rkwua.exe <--Delete Folder
C:\PROGRA~1\COMMON~1\rkwu\rkwul.exe<--Delete Folder
C:\WINDOWS\sixtypopsix.exe
c:\windows\system32\eetjanxq.exe
C:\WINDOWS\mm15201518.Stub.exe
C:\WINDOWS\System32\systr.dll
C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm <--Delete Folder
C:\Program Files\AWS\WeatherBug\Weather.exe<--Delete Folder
C:\wp.exe
C:\wp.bmp
C:\Windows\sites.ini
C:\Windows\popuper.exe
C:\WINDOWS\System32\wldr.dll
C:\Windows\System32\helper.exe
C:\Windows\System32\intmonp.exe
C:\Windows\System32\msmsgs.exe
C:\Windows\System32\ole32vbs.exe
C:\Windows\system32\msole32.exe

Delete the following foders as well
C:\Program Files\Search Maid
C:\Program Files\Virtual Maid
C:\Windows\System32\Log Files <-WILL be there!
C:\Program Files\Security IGuard

And I also forgot how to get into the hidden files folder. I did it last night but am not thinking a whole lot tonight. lol sorry for the inconvenience. I'm, on est time.

Thanks
Sexy

The flight of imagination goes a long way without time.

#8
don77

Posted 18 April 2005 - 05:01 PM

Malware Expert

Retired Staff
18,526 posts

My apologize,

Hidden Files/Folders
Click on it for instructions

Look in your program files, Look in your system32 folder for the files that are listed as being there
ie : C:\WINDOWS\System32\dllmanager.exe
In system32 folder look for dllmanager.exe and delete

and so on,
Let me know if there were any you couldn't find

#9
sexy~n~unique

Posted 18 April 2005 - 06:28 PM

Member

Topic Starter
Member
20 posts

ok i am almost complete but when i get this site

2.) Download: http://www.mvps.org/.../DelDomains.inf

it comes up a text file. i cant right click nor install. help please

Sexy

#10
don77

Posted 18 April 2005 - 06:36 PM

Malware Expert

Retired Staff
18,526 posts

When you click on the link, Save the file to your desktop.
When it's done dowloading close out the download box,
Check on your desk top for the Deldomains file and then right click and choose Install

#11
sexy~n~unique

Posted 18 April 2005 - 07:15 PM

Member

Topic Starter
Member
20 posts

Don oh Don ...............this trojan hates me. LOL I tried to get panda scanner to work with mozilla...but browser is not supported.....and IE will not bring up a page for panda scanner. Is there another scanner I can use?

Sexy

---------------------------------

The flight of imagination goes a long way without time.

#12
sexy~n~unique

Posted 18 April 2005 - 07:50 PM

Member

Topic Starter
Member
20 posts

Here we go..............

Logfile of HijackThis v1.99.1
Scan saved at 9:46:17 PM, on 4/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXPPS.EXE
c:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system\sudcvpirpp.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\PROGRA~1\mozilla.org\Mozilla\mozilla.exe
C:\WINDOWS\System32\msiexec.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/ad0278/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
O2 - BHO: iuctg - {23EF5EB9-71F5-47D3-AD20-0562E35CC780} - C:\WINDOWS\System32\iuctg.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [Sysnet] C:\Documents and Settings\Owner\snuninst.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [eetjanxq] c:\windows\system32\eetjanxq.exe
O4 - HKLM\..\Run: [msdev] msdev.exe
O4 - HKLM\..\RunServices: [ACE Mega CoDecS Pack] C:\windows\ACE Mega CoDecS Pack.exe
O4 - HKLM\..\RunServices: [msdev] msdev.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\Pavilion\XPHNABS3EN\plugin\bin\pchbutton.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ACE Mega CoDecS Pack] C:\windows\ACE Mega CoDecS Pack.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - HKCU\..\Run: [msdev] msdev.exe
O4 - HKCU\..\RunOnce: [CleanUp!] C:\PROGRA~1\CleanUp!\CleanUp.exe /WindowsRestart
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...468/mcfscan.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

Tell me what you think.

Sexy

-----------------------------

The flight of imagination goes a long way without time.

#13
sexy~n~unique

Posted 18 April 2005 - 07:56 PM

Member

Topic Starter
Member
20 posts

After looking back.....I deleted a few more. Here is the new post.

Logfile of HijackThis v1.99.1
Scan saved at 9:51:59 PM, on 4/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXPPS.EXE
c:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system\sudcvpirpp.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\WINDOWS\System32\wuauclt.exe
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\Program Files\Internet Explorer\IEXPLORE.EXE
C:\WINDOWS\System32\msiexec.exe
C:\Documents and Settings\Owner\Desktop\HijackThis.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\PROGRA~1\mozilla.org\Mozilla\mozilla.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/ad0278/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
O2 - BHO: iuctg - {23EF5EB9-71F5-47D3-AD20-0562E35CC780} - C:\WINDOWS\System32\iuctg.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)
O4 - HKLM\..\Run: [Sysnet] C:\Documents and Settings\Owner\snuninst.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\RunServices: [ACE Mega CoDecS Pack] C:\windows\ACE Mega CoDecS Pack.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\Pavilion\XPHNABS3EN\plugin\bin\pchbutton.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ACE Mega CoDecS Pack] C:\windows\ACE Mega CoDecS Pack.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - HKCU\..\RunOnce: [CleanUp!] C:\PROGRA~1\CleanUp!\CleanUp.exe /WindowsRestart
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...468/mcfscan.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

Sexy

-----------------------------------------

The flight of imagination goes a long way without time.

#14
don77

Posted 18 April 2005 - 08:15 PM

Malware Expert

Retired Staff
18,526 posts

Looking much better !

Please restart HJT put a check next to the following, close all open windows and click “Fix Checked”

R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/ad0278/
O2 - BHO: iuctg - {23EF5EB9-71F5-47D3-AD20-0562E35CC780} - C:\WINDOWS\System32\iuctg.dll
O2 - BHO: (no name) - {5C8B2A36-3DB1-42A4-A3CB-D426709BBFEB} - (no file)

Next Reboot into SAFE MODE Make sure you can view all Hidden Files/Folders search for and delete the files highlighted in BOLD

C:\WINDOWS\System32\iuctg.dll

Restart your computer, Post back a fresh log please,

Also,
Please Download
Silent Runners
Please create a folder for it please, Then double click on the program, It will save a notebook file in the same folder, Open that, copy, paste the log back to this thread please

#15
sexy~n~unique

Posted 18 April 2005 - 09:17 PM

Member

Topic Starter
Member
20 posts

OK Don.........

I was able to fix checked, however the C:\WINDOWS\System 32\luctg.dll
I couldnt delete. It said it was in use by another program.

But I went ahead and ran another HJT post and the Silent Runners post. The redults are as follows. P.S. I got my desktop back....I got the pictures on the icon to disappear....But I'm working on finding a way to remove them. The popups are still there.

Here you go!

Logfile of HijackThis v1.99.1
Scan saved at 11:09:09 PM, on 4/18/2005
Platform: Windows XP SP1 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP1 (6.00.2800.1106)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\LEXBCES.EXE
C:\WINDOWS\system32\spoolsv.exe
c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
C:\WINDOWS\system32\LEXPPS.EXE
c:\Program Files\Norton Personal Firewall\NISUM.EXE
C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe
c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\Softex\OmniPass\Omniserv.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Softex\OmniPass\OPXPApp.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Common Files\Symantec Shared\ccApp.exe
C:\WINDOWS\system\sudcvpirpp.exe
C:\Program Files\Yahoo!\Messenger\ypager.exe
C:\Program Files\Messenger\MSMSGS.EXE
C:\Program Files\mozilla.org\Mozilla\Mozilla.exe
C:\WINDOWS\System32\wuauclt.exe
C:\WINDOWS\system32\NOTEPAD.EXE
C:\Documents and Settings\Owner\Desktop\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer,(Default) = www.google.com
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://www.hotoffers.info/ad0278/
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = www.yahoo.com
O2 - BHO: iuctg - {23EF5EB9-71F5-47D3-AD20-0562E35CC780} - C:\WINDOWS\System32\iuctg.dll
O4 - HKLM\..\Run: [Sysnet] C:\Documents and Settings\Owner\snuninst.exe
O4 - HKLM\..\Run: [Tweak UI] RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp
O4 - HKLM\..\Run: [ccApp] "c:\Program Files\Common Files\Symantec Shared\ccApp.exe"
O4 - HKLM\..\Run: [ccRegVfy] "c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\RunServices: [ACE Mega CoDecS Pack] C:\windows\ACE Mega CoDecS Pack.exe
O4 - HKCU\..\Run: [Yahoo! Pager] C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet
O4 - HKCU\..\Run: [Acme.PCHButton] C:\PROGRA~1\HPINST~1\Pavilion\XPHNABS3EN\plugin\bin\pchbutton.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\MSMSGS.EXE" /background
O4 - HKCU\..\Run: [ACE Mega CoDecS Pack] C:\windows\ACE Mega CoDecS Pack.exe
O4 - HKCU\..\Run: [Mozilla Quick Launch] "C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo
O4 - Global Startup: Quicken Scheduled Updates.lnk = C:\Program Files\Quicken\bagent.exe
O4 - Global Startup: Updates from HP.lnk = C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~3\OFFICE11\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_02\bin\npjpi150_02.dll
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~3\OFFICE11\REFIEBAR.DLL
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\MSMSGS.EXE
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {EF791A6B-FC12-4C68-99EF-FB9E207A39E6} (McFreeScan Class) - http://download.mcaf...468/mcfscan.cab
O20 - Winlogon Notify: igfxcui - C:\WINDOWS\SYSTEM32\igfxsrvc.dll
O20 - Winlogon Notify: OPXPGina - C:\Program Files\Softex\OmniPass\opxpgina.dll
O23 - Service: Symantec Event Manager (ccEvtMgr) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccEvtMgr.exe
O23 - Service: Symantec Password Validation Service (ccPwdSvc) - Symantec Corporation - c:\Program Files\Common Files\Symantec Shared\ccPwdSvc.exe
O23 - Service: Symantec Proxy Service (ccPxySvc) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\ccPxySvc.exe
O23 - Service: iPod Service (iPodService) - Apple Computer, Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: LexBce Server (LexBceS) - Lexmark International, Inc. - C:\WINDOWS\system32\LEXBCES.EXE
O23 - Service: Norton Personal Firewall Accounts Manager (NISUM) - Symantec Corporation - c:\Program Files\Norton Personal Firewall\NISUM.EXE
O23 - Service: NVIDIA Driver Helper Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: Softex OmniPass Service (omniserv) - Unknown owner - C:\Program Files\Softex\OmniPass\Omniserv.exe
O23 - Service: Symantec Network Drivers Service (SNDSrvc) - Symantec Corporation - C:\Program Files\Common Files\Symantec Shared\SNDSrvc.exe

and Silent Runners:

"Silent Runners.vbs", revision 35, http://www.silentrunners.org/
Operating System: Windows XP
Output limited to non-default values, except where indicated by "{++}"

Startup items buried in registry:
---------------------------------

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\
"sudcvpirpp.exe" = "C:\WINDOWS\system\sudcvpirpp.exe" [null data]

HKCU\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Yahoo! Pager" = "C:\Program Files\Yahoo!\Messenger\ypager.exe -quiet" ["Yahoo! Inc."]
"Acme.PCHButton" = "C:\PROGRA~1\HPINST~1\Pavilion\XPHNABS3EN\plugin\bin\pchbutton.exe" ["Motive Communications, Inc."]
"MSMSGS" = ""C:\Program Files\Messenger\MSMSGS.EXE" /background" [MS]
"ACE Mega CoDecS Pack" = "C:\windows\ACE Mega CoDecS Pack.exe" [file not found]
"Mozilla Quick Launch" = ""C:\Program Files\mozilla.org\Mozilla\Mozilla.exe" -turbo" ["Mozilla Foundation"]

HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ {++}
"Sysnet" = "C:\Documents and Settings\Owner\snuninst.exe" [null data]
"Tweak UI" = "RUNDLL32.EXE TWEAKUI.CPL,TweakMeUp" [MS]
"ccApp" = ""c:\Program Files\Common Files\Symantec Shared\ccApp.exe"" ["Symantec Corporation"]
"ccRegVfy" = ""c:\Program Files\Common Files\Symantec Shared\ccRegVfy.exe"" ["Symantec Corporation"]
"Symantec NetDriver Monitor" = "C:\PROGRA~1\SYMNET~1\SNDMon.exe" ["Symantec Corporation"]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\Browser Helper Objects\
{23EF5EB9-71F5-47D3-AD20-0562E35CC780}\(Default) = "iuctg" [from CLSID]
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\iuctg.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Shell Extensions\Approved\
"{42071714-76d4-11d1-8b24-00a0c9068ff3}" = "Display Panning CPL Extension"
-> {CLSID}\InProcServer32\(Default) = "deskpan.dll" [file not found]
"{88895560-9AA2-1069-930E-00AA0030EBC8}" = "HyperTerminal Icon Ext"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\hticons.dll" ["Hilgraeve, Inc."]
"{A4DF5659-0801-4A60-9607-1C48695EFDA9}" = "Share-to-Web Upload Folder"
-> {CLSID}\InProcServer32\(Default) = "c:\Program Files\Hewlett-Packard\HP Share-to-Web\HPGS2WNS.DLL" ["Hewlett-Packard"]
"{7F67036B-66F1-411A-AD85-759FB9C5B0DB}" = "SampleView"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\ShellvRTF.dll" ["XSS"]
"{1CDB2949-8F65-4355-8456-263E7C208A5D}" = "Desktop Explorer"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{1E9B04FB-F9E5-4718-997B-B8DA88302A47}" = "Desktop Explorer Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\nvshell.dll" ["NVIDIA Corporation"]
"{CCFE56EE-C7DE-44EE-A160-4553A5A912C9}" = "OmniPass Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Softex\OmniPass\opshelle.dll" ["Softex Incorporated"]
"{5464D816-CF16-4784-B9F3-75C0DB52B499}" = "Yahoo! Mail"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\Yahoo!\Common\ymmapi.dll" ["Yahoo! Inc."]
"{B41DB860-8EE4-11D2-9906-E49FADC173CA}" = "WinRAR shell extension"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\WinRAR\rarext.dll" [null data]
"{00020D75-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Desktop Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\MLSHEXT.DLL" [MS]
"{0006F045-0000-0000-C000-000000000046}" = "Microsoft Office Outlook Custom Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\MICROS~3\OFFICE11\OLKFSTUB.DLL" [MS]
"{42042206-2D85-11D3-8CFF-005004838597}" = "Microsoft Office HTML Icon Handler"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Microsoft Office\OFFICE11\msohev.dll" [MS]
"{640167b4-59b0-47a6-b335-a6b3c0695aea}" = "Portable Media Devices"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{cc86590a-b60a-48e6-996b-41d25ed39a1e}" = "Portable Media Devices Menu"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Audiodev.dll" [MS]
"{B9E1D2CB-CCFF-4AA6-9579-D7A4754030EF}" = "iTunes"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\iTunes\iTunesMiniPlayer.dll" ["Apple Computer, Inc."]
"{EBDF1F20-C829-11D1-8233-FF20AF3E97A9}" = "TrojanHunter Menu Shell Extension"
-> {CLSID}\InProcServer32\(Default) = "C:\PROGRA~1\TROJAN~1.5\contmenu.dll" [null data]

HKLM\Software\Microsoft\Windows\CurrentVersion\Explorer\SharedTaskScheduler\
INFECTION WARNING! "{D56A1203-1452-EBA1-7294-EE3377770000}" = "Interlinking Memory Support"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\param32.dll" [null data]

HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\Notify\
INFECTION WARNING! igfxcui\DLLName = "igfxsrvc.dll" ["Intel Corporation"]
INFECTION WARNING! OPXPGina\DLLName = "C:\Program Files\Softex\OmniPass\opxpgina.dll" [null data]

HKLM\Software\Classes\PROTOCOLS\Filter\
INFECTION WARNING! text/xml\CLSID = "{807553E5-5146-11D5-A672-00B0D022E945}"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Common Files\Microsoft Shared\OFFICE11\MSOXMLMF.DLL" [MS]

Default executables:
--------------------

.BAT: HKLM\SOFTWARE\Classes\batfile\shell\open\command\
INFECTION WARNING! "Default" = "C:\windows\WinBat.exe %1" ["lgim"]

Enabled Wallpaper and Active Desktop:
-------------------------------------

Active Desktop is disabled.

HKCU\Control Panel\Desktop\
"Wallpaper" = "C:\Documents and Settings\Owner\Local Settings\Application Data\Microsoft\Wallpaper1.bmp"

Autostart via AUTORUN.INF on local fixed drives:
------------------------------------------------

INFECTION WARNING! D:\AUTORUN.INF -> "OPEN=Info.exe folder.htt 480 480" ["XSS"]

Startup items in "Owner" & "All Users" startup folders:
-------------------------------------------------------

C:\Documents and Settings\All Users\Start Menu\Programs\Startup
"Quicken Scheduled Updates" -> shortcut to: "C:\Program Files\Quicken\bagent.exe" ["Intuit Inc."]
"Updates from HP" -> shortcut to: "C:\Program Files\Updates from HP\137903\Program\BackWeb-137903.exe -startup" [null data]

Enabled Scheduled Tasks:
------------------------

"1-Click Maintenance" -> launches: "C:\Program Files\TuneUp Utilities 2004\SystemOptimizer.exe /schedulestart" ["TuneUp Software GmbH"]
"RUTASK" -> launches: "C:\WINDOWS\ru.exe" [null data]

Winsock2 Service Provider DLLs:
-------------------------------

Namespace Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\NameSpace_Catalog5\Catalog_Entries\ {++}
000000000001\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]
000000000002\LibraryPath = "%SystemRoot%\System32\winrnr.dll" [MS]
000000000003\LibraryPath = "%SystemRoot%\System32\mswsock.dll" [MS]

Transport Service Providers

HKLM\System\CurrentControlSet\Services\Winsock2\Parameters\Protocol_Catalog9\Catalog_Entries\ {++}
0000000000##\PackedCatalogItem (contains) DLL [Company Name], (at) ## range:
%SystemRoot%\system32\mswsock.dll [MS], 01 - 03, 06 - 15
%SystemRoot%\system32\rsvpsp.dll [MS], 04 - 05

Toolbars, Explorer Bars, Extensions:
------------------------------------

Explorer Bars

HKCU\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\
-> {CLSID}\(Default) = "&Yahoo! Messenger"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll" ["Yahoo! Inc."]

{8F4902B6-6C04-4ADE-8052-AA58578A21BD}\
-> {CLSID}\(Default) = "hp toolkit"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

HKLM\Software\Microsoft\Internet Explorer\Explorer Bars\
{4528BBE0-4E08-11D5-AD55-00010333D0AD}\
-> {CLSID}\(Default) = "&Yahoo! Messenger"
-> {CLSID}\InProcServer32\(Default) = "C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll" ["Yahoo! Inc."]

{8F4902B6-6C04-4ADE-8052-AA58578A21BD}\
-> {CLSID}\(Default) = "hp toolkit"
-> {CLSID}\InProcServer32\(Default) = "C:\WINDOWS\System32\Shdocvw.dll" [MS]

Dormant Explorer Bars in "View, Explorer Bar" menu

HKLM\Software\Classes\CLSID\{B2847E28-5D7D-4DEB-8B67-05D28BCF79F5}\
(Default) = "hp toolkit"
Implemented Categories\{00021494-0000-0000-C000-000000000046}\ [horizontal bar]
InProcServer32\(Default) = "C:\HP\EXPLOREBAR\HPTOOLKT.DLL" ["Hewlett-Packard Company"]