Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

[Referred]desktop/web browser hijack[RESOLVED]

Started by ewallen , May 02 2005 08:43 PM

  • This topic is locked This topic is locked

#1
ewallen
Posted 02 May 2005 - 08:43 PM

ewallen

    Member

  • Member
  • PipPip
  • 11 posts
Hi,
My problems began with some connectivity issues, followed by the hijacking of my desktop by a black screen with a warning about spyware. Clicking on the screen launched a web browser to the site:
www.topantispyware.com/overview
Also, I was unable to start up some programs (notably, my anti-spyware applications). I have managed to get rid of the black background, but still can't launch the spyware applications, except in safe mode. Launching internet explorer attempts to bring me to the page: w-find.com/index.htm
Also, when I try to shutdown, I get a message to wait for Win.Min to shut down.

I have included my ad-aware log below (run in safe mode)
Prior to this, I have tried a variety of tools, including:
-the winsock utility on your site
-spybot s&d
-hijackthis
-mwave scanner
-CWshredder
-lspfix
-systemsecUK

Thanks for your help
  • 0

Advertisements

#2
ewallen
Posted 02 May 2005 - 08:48 PM

ewallen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Ad-Aware SE Build 1.05
Logfile Created on:May 2, 2005 7:30:32 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R42 28.04.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
FlashenhancerBHO(TAC index:7):4 total references
Possible Browser Hijack attempt(TAC index:3):1 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R42 28.04.2005
Internal build : 49
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 466557 Bytes
Total size : 1403889 Bytes
Signature data size : 1373297 Bytes
Reference data size : 30080 Bytes
Signatures total : 39226
Fingerprints total : 836
Fingerprints size : 28245 Bytes
Target categories : 15
Target families : 654


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:40 %
Total physical memory:261104 kb
Available physical memory:102336 kb
Total page file size:640956 kb
Available on page file:549012 kb
Total virtual memory:2097024 kb
Available virtual memory:2032184 kb
OS:Microsoft Windows XP Home Edition Service Pack 2 (Build 2600)

Ad-Aware SE Settings
===========================
Set : Move deleted files to Recycle Bin
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Obtain command line of scanned processes
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Write-protect system files after repair (Hosts file, etc.)
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Play sound at scan completion if scan locates critical objects


02-05-2005 7:30:32 PM - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
ModuleName : \SystemRoot\System32\smss.exe
Command Line : n/a
ProcessID : 252
ThreadCreationTime : 03-05-2005 1:03:48 AM
BasePriority : Normal


#:2 [csrss.exe]
ModuleName : \??\C:\WINDOWS\system32\csrss.exe
Command Line : C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestTh
ProcessID : 304
ThreadCreationTime : 03-05-2005 1:03:53 AM
BasePriority : Normal


#:3 [winlogon.exe]
ModuleName : \??\C:\WINDOWS\system32\winlogon.exe
Command Line : winlogon.exe
ProcessID : 328
ThreadCreationTime : 03-05-2005 1:03:55 AM
BasePriority : High


#:4 [services.exe]
ModuleName : C:\WINDOWS\system32\services.exe
Command Line : C:\WINDOWS\system32\services.exe
ProcessID : 372
ThreadCreationTime : 03-05-2005 1:03:59 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
ModuleName : C:\WINDOWS\system32\lsass.exe
Command Line : C:\WINDOWS\system32\lsass.exe
ProcessID : 392
ThreadCreationTime : 03-05-2005 1:03:59 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k DcomLaunch
ProcessID : 544
ThreadCreationTime : 03-05-2005 1:04:04 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k rpcss
ProcessID : 608
ThreadCreationTime : 03-05-2005 1:04:05 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k netsvcs
ProcessID : 672
ThreadCreationTime : 03-05-2005 1:04:06 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k NetworkService
ProcessID : 692
ThreadCreationTime : 03-05-2005 1:04:07 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k LocalService
ProcessID : 752
ThreadCreationTime : 03-05-2005 1:04:07 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [explorer.exe]
ModuleName : C:\WINDOWS\Explorer.EXE
Command Line : C:\WINDOWS\Explorer.EXE
ProcessID : 1032
ThreadCreationTime : 03-05-2005 1:04:29 AM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:12 [ad-aware.exe]
ModuleName : C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
Command Line : "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe"
ProcessID : 1480
ThreadCreationTime : 03-05-2005 1:08:36 AM
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

FlashenhancerBHO Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : unawareobj.unawareobj

FlashenhancerBHO Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : unawareobj.unawareobj
Value :

FlashenhancerBHO Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : unawareobj.unawareobj.1

FlashenhancerBHO Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : unawareobj.unawareobj.1
Value :

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 4
Objects found so far: 4


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 4


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 4


Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 4


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 4



Possible Browser Hijack attempt Object Recognized!
Type : File
Data : FREE Access to 800 Paid sites.url
Category : Misc
Comment : Problematic URL discovered: http://getthis4free.com/
Object : C:\Documents and Settings\Erik Webster Allen\Favorites\




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 5

7:38:48 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:08:16.764
Objects scanned:75885
Objects identified:5
Objects ignored:0
New critical objects:5
  • 0

#3
Rawe
Posted 02 May 2005 - 10:09 PM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Welcome!

Ad-aware has found object(s) on your computer

If you chose to clean your computer from what Ad-aware found, follow these instructions below…

Make sure that you are using the * SE1R42 28.04.2005 * definition file.


Open up Ad-Aware SE and click on the gear to access the Configuration menu. Make sure that this setting is applied.

Click on Tweak > Cleaning engine > UNcheck "Always try to unload modules before deletion".

Disconnect from the internet (for broadband/cable users, it is recommended that you disconnect the cable connection) and close all open browsers or other programs you have running.

Then boot into Safe Mode

To clean your machine, it is highly recommended that you clean the following directory contents (but not the directory folder);

Run CCleaner to help in this process.
Download CCleaner (Setup: go to >options > settings > Uncheck "Only delete files in Windows Temp folders older than 48 hours" for cleaning malware files!)

* C:\Windows\Temp\
* C:\Documents and Settings\<Your Profile>\Local Settings\Temporary Internet Files\ <- This will delete all your cached internet content including cookies.
* C:\Documents and Settings\<Your Profile>\Local Settings\Temp\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temporary Internet Files\
* C:\Documents and Settings\<Any other users Profile>\Local Settings\Temp\
* Empty your "Recycle Bin".

Run Ad-Aware SE from the command lines shown in the instructions shown below.

Click "Start" > select "Run" > type the text shown below (including the quotation marks and with the same spacing as shown)

"C:\Program Files\Lavasoft\Ad-Aware SE Professional\Ad-Aware.exe" /full +procnuke
(For the Professional version)

"C:\Program Files\Lavasoft\Ad-Aware SE Plus\Ad-Aware.exe" /full +procnuke
(For the Plus version)

"C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe" +procnuke
(For the Personal version)


Click Ok.

Note; the path above is of the default installation location for Ad-aware SE, if this is different, adjust it to the location that you have installed it to.

When the scan has completed, select next. In the Scanning Results window, select the "Scan Summary"- tab. Check the box next to any objects you wish to remove. Click next, Click Ok.

If problems are caused by deleting a family, just leave it.


Reboot your computer after removal, run a new "full system scan" and post the results as a reply. Don't open any programs or connect to the internet at this time.

Then copy & paste the complete log file here. Don't quarantine or remove anything at this time, just post a complete logfile. This can sometimes takes 2-3 posts to get it all posted, once the "Summary of this scan" information is shown, you have posted all of your logfile.

Also, keep in mind that when you are posting another logfile keep "Search for negligible risk entries" deselected as negligible risk entries (Mru's) aren't considered as a threat. This option can be changed when choosing your scan type.

Remember to post your fresh scanlog in THIS topic.

- Rawe :tazz:
  • 0

#4
ewallen
Posted 03 May 2005 - 10:36 PM

ewallen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Thanks for the reply.
Here's my next ad-aware log file. It still won't run in non-safe mode, so this scan was run in safe mode.
Thanks again.

Ad-Aware SE Build 1.05
Logfile Created on:May 3, 2005 10:08:07 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R42 28.04.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
FlashenhancerBHO(TAC index:7):4 total references
Possible Browser Hijack attempt(TAC index:3):1 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R42 28.04.2005
Internal build : 49
File location : C:\Program Files\Lavasoft\Ad-Aware SE Personal\defs.ref
File size : 466557 Bytes
Total size : 1403889 Bytes
Signature data size : 1373297 Bytes
Reference data size : 30080 Bytes
Signatures total : 39226
Fingerprints total : 836
Fingerprints size : 28245 Bytes
Target categories : 15
Target families : 654


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Intel Pentium IV
Memory available:61 %
Total physical memory:261104 kb
Available physical memory:156880 kb
Total page file size:640956 kb
Available on page file:569892 kb
Total virtual memory:2097024 kb
Available virtual memory:2048824 kb
OS:Microsoft Windows XP Home Edition Service Pack 2 (Build 2600)

Ad-Aware SE Settings
===========================
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Obtain command line of scanned processes
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Write-protect system files after repair (Hosts file, etc.)
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Play sound at scan completion if scan locates critical objects


03-05-2005 10:08:07 PM - Scan started. (Full System Scan)

Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
ModuleName : \SystemRoot\System32\smss.exe
Command Line : n/a
ProcessID : 252
ThreadCreationTime : 04-05-2005 4:06:14 AM
BasePriority : Normal


#:2 [csrss.exe]
ModuleName : \??\C:\WINDOWS\system32\csrss.exe
Command Line : C:\WINDOWS\system32\csrss.exe ObjectDirectory=\Windows SharedSection=1024,3072,512 Windows=On SubSystemType=Windows ServerDll=basesrv,1 ServerDll=winsrv:UserServerDllInitialization,3 ServerDll=winsrv:ConServerDllInitialization,2 ProfileControl=Off MaxRequestTh
ProcessID : 304
ThreadCreationTime : 04-05-2005 4:06:19 AM
BasePriority : Normal


#:3 [winlogon.exe]
ModuleName : \??\C:\WINDOWS\system32\winlogon.exe
Command Line : winlogon.exe
ProcessID : 328
ThreadCreationTime : 04-05-2005 4:06:21 AM
BasePriority : High


#:4 [services.exe]
ModuleName : C:\WINDOWS\system32\services.exe
Command Line : C:\WINDOWS\system32\services.exe
ProcessID : 372
ThreadCreationTime : 04-05-2005 4:06:25 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:5 [lsass.exe]
ModuleName : C:\WINDOWS\system32\lsass.exe
Command Line : C:\WINDOWS\system32\lsass.exe
ProcessID : 384
ThreadCreationTime : 04-05-2005 4:06:25 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe

#:6 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k DcomLaunch
ProcessID : 528
ThreadCreationTime : 04-05-2005 4:06:29 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [svchost.exe]
ModuleName : C:\WINDOWS\system32\svchost.exe
Command Line : C:\WINDOWS\system32\svchost -k rpcss
ProcessID : 596
ThreadCreationTime : 04-05-2005 4:06:30 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:8 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k netsvcs
ProcessID : 660
ThreadCreationTime : 04-05-2005 4:06:31 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:9 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k NetworkService
ProcessID : 676
ThreadCreationTime : 04-05-2005 4:06:32 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:10 [svchost.exe]
ModuleName : C:\WINDOWS\System32\svchost.exe
Command Line : C:\WINDOWS\System32\svchost.exe -k LocalService
ProcessID : 732
ThreadCreationTime : 04-05-2005 4:06:33 AM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:11 [explorer.exe]
ModuleName : C:\WINDOWS\Explorer.EXE
Command Line : C:\WINDOWS\Explorer.EXE
ProcessID : 992
ThreadCreationTime : 04-05-2005 4:06:41 AM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE

#:12 [ad-aware.exe]
ModuleName : C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe
Command Line : "C:\Program Files\Lavasoft\Ad-Aware SE Personal\Ad-Aware.exe"
ProcessID : 1236
ThreadCreationTime : 04-05-2005 4:07:55 AM
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 0


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

FlashenhancerBHO Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : unawareobj.unawareobj

FlashenhancerBHO Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : unawareobj.unawareobj
Value :

FlashenhancerBHO Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : unawareobj.unawareobj.1

FlashenhancerBHO Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : unawareobj.unawareobj.1
Value :

Registry Scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 4
Objects found so far: 4


Started deep registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Deep registry scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 4


Started Tracking Cookie scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»


Tracking cookie scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 4



Deep scanning and examining files (C:)
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Disk Scan Result for C:\
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 4


Scanning Hosts file......
Hosts file location:"C:\WINDOWS\system32\drivers\etc\hosts".
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Hosts file scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
1 entries scanned.
New critical objects:0
Objects found so far: 4



Possible Browser Hijack attempt Object Recognized!
Type : File
Data : FREE Access to 800 Paid sites.url
Category : Misc
Comment : Problematic URL discovered: http://getthis4free.com/
Object : C:\Documents and Settings\Erik Webster Allen\Favorites\




Performing conditional scans...
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Conditional scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 0
Objects found so far: 5

10:17:11 PM Scan Complete

Summary Of This Scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Total scanning time:00:09:04.784
Objects scanned:77567
Objects identified:5
Objects ignored:0
New critical objects:5
  • 0

#5
Rawe
Posted 05 May 2005 - 03:52 AM

Rawe

    Visiting Staff

  • Member
  • PipPipPipPipPipPipPip
  • 4,746 posts
Hi again.
Sorry for the late answer...
Try these online virus scans;
- Trend Micro
- Panda Activescan

When scan's has finished, post the results here.

- Rawe :tazz:
  • 0

#6
Guest_Andy_veal_*
Posted 05 May 2005 - 05:21 PM

Guest_Andy_veal_*
  • Guest
Please follow the instructions located in Step Five: Posting a Hijack This Log. Post your HJT log as a reply to this thread, which has been relocated to the Malware Removal Forum for providing you with further assistance.

Kindly note that it is very busy in the Malware Removal Forum, so there may be a delay in receiving a reply. Please also note that HJT logfiles are reviewed on a first come/first served basis.
  • 0

#7
ewallen
Posted 05 May 2005 - 10:24 PM

ewallen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi,
Thanks for the reply, here's my hijackthis log:
(Thanks for the reply Rawe; I ran the panda activescan, and it identified many of the files in my hijackthis log, so, since I got referred to this forum, I'll wait for the response to the hijackthis log)

Logfile of HijackThis v1.99.1
Scan saved at 10:05:30 PM, on 05/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Erik Webster Allen\Desktop\erik's computer help\hijackthis\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = 127.0.0.1
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)
O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\TELUS Security service\pkR.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\TELUS Security service\FreeBHOR.dll
O2 - BHO: FlashEnhancer Extnder - {A749B4BC-7621-4a80-9220-D0A283367DD5} - c:\Program Files\Fln\fln.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn\ycomp5_5_7_0.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [TELUS Security service] C:\Program Files\Zero Knowledge\TELUS Security service\Freedom.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Connection Client] C:\WINDOWS\system32\atmeorxx.exe
O4 - HKLM\..\Run: [FlnCPY] "C:\Program Files\Common Files\Java\flncpy.exe"
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\Run: [tbilnve] c:\windows\nxfmmlr.exe
O4 - HKCU\..\Run: [sllajfa] c:\windows\chsncwr.exe
O4 - HKCU\..\Run: [syagate] c:\windows\chsncwr.exe
O4 - HKCU\..\Run: [pxkjddv] c:\windows\chsncwr.exe
O4 - HKCU\..\Run: [tvxkjvy] c:\windows\chsncwr.exe
O4 - HKCU\..\Run: [jawtrly] c:\windows\chsncwr.exe
O4 - HKCU\..\Run: [wvljwte] c:\windows\chsncwr.exe
O4 - HKCU\..\Run: [fkyouob] c:\windows\chsncwr.exe
O4 - HKCU\..\Run: [tianepy] c:\windows\chsncwr.exe
O4 - HKCU\..\Run: [tuvyede] c:\windows\pxrhrsg.exe
O4 - HKCU\..\Run: [fbqhavo] c:\windows\pxrhrsg.exe
O4 - HKCU\..\Run: [wkssyor] c:\windows\pxrhrsg.exe
O4 - HKCU\..\Run: [iqpsdij] c:\windows\pxrhrsg.exe
O4 - HKCU\..\Run: [wyblnea] c:\windows\pxrhrsg.exe
O4 - HKCU\..\Run: [wasjflv] c:\windows\pxrhrsg.exe
O4 - HKCU\..\Run: [mywrfwm] c:\windows\pxrhrsg.exe
O4 - HKCU\..\Run: [YBopRPJ7g] hhsortreader.exe
O4 - HKCU\..\Run: [snstpjr] c:\windows\pxrhrsg.exe
O4 - HKCU\..\Run: [cjusxdo] c:\windows\pxrhrsg.exe
O4 - HKCU\..\Run: [nfqnmwr] c:\windows\pxrhrsg.exe
O4 - HKCU\..\Run: [gxskalj] c:\windows\pxrhrsg.exe
O4 - HKCU\..\Run: [owyilrq] c:\windows\pxrhrsg.exe
O4 - HKCU\..\Run: [fdlrcxp] c:\windows\pxrhrsg.exe
O4 - HKCU\..\Run: [bqpbqnm] c:\windows\pxrhrsg.exe
O4 - HKCU\..\Run: [pdvaasn] c:\windows\pxrhrsg.exe
O4 - HKCU\..\Run: [fpbkjyj] c:\windows\pxrhrsg.exe
O4 - HKCU\..\Run: [clgjtrp] c:\windows\pxrhrsg.exe
O4 - HKCU\..\Run: [kwlsnlx] c:\windows\pxrhrsg.exe
O4 - HKCU\..\Run: [blaootq] c:\windows\pxrhrsg.exe
O4 - HKCU\..\Run: [mhxbfin] c:\windows\pxrhrsg.exe
O4 - HKCU\..\Run: [onwusfw] c:\windows\pxrhrsg.exe
O4 - HKCU\..\Run: [eqvueyn] c:\windows\pxrhrsg.exe
O4 - HKCU\..\Run: [siitbqo] c:\windows\apeyrab.exe
O4 - HKCU\..\Run: [kakytle] c:\windows\vlinbll.exe
O4 - HKCU\..\Run: [yrcljrf] c:\windows\gvncbmp.exe
O4 - HKCU\..\Run: [rvsfobr] c:\windows\nexubyb.exe
O4 - HKCU\..\Run: [veeetos] c:\windows\hyhacch.exe
O4 - HKCU\..\Run: [yvqttiq] c:\windows\lxkbytp.exe
O4 - HKCU\..\Run: [vrmckkq] c:\windows\vlinbll.exe
O4 - HKCU\..\Run: [jrjkjmy] c:\windows\gvncbmp.exe
O4 - HKCU\..\Run: [prltwlu] c:\windows\nexubyb.exe
O4 - HKCU\..\Run: [qtfivok] c:\windows\hyhacch.exe
O4 - HKCU\..\Run: [cpuvyhv] c:\windows\lxkbytp.exe
O4 - HKCU\..\Run: [aryywco] c:\windows\vlinbll.exe
O4 - HKCU\..\Run: [yfchhys] c:\windows\gvncbmp.exe
O4 - HKCU\..\Run: [mybpcnd] c:\windows\nexubyb.exe
O4 - HKCU\..\Run: [kahhxik] c:\windows\hyhacch.exe
O4 - HKCU\..\Run: [pjpquus] c:\windows\lxkbytp.exe
O4 - HKCU\..\Run: [sfhhilm] c:\windows\vlinbll.exe
O4 - HKCU\..\Run: [nuvucdv] c:\windows\nexubyb.exe
O4 - HKCU\..\Run: [wcatetf] c:\windows\hyhacch.exe
O4 - HKCU\..\Run: [jjkhvue] c:\windows\gvncbmp.exe
O4 - HKCU\..\Run: [ojoundt] c:\windows\lxkbytp.exe
O4 - HKCU\..\Run: [dvtknmj] c:\windows\vlinbll.exe
O4 - HKCU\..\Run: [rektklj] c:\windows\nexubyb.exe
O4 - HKCU\..\Run: [aibeyhj] c:\windows\hyhacch.exe
O4 - HKCU\..\Run: [hlcdhkj] c:\windows\gvncbmp.exe
O4 - HKCU\..\Run: [gkmqbri] c:\windows\lxkbytp.exe
O4 - HKCU\..\Run: [chcjwav] c:\windows\vlinbll.exe
O4 - HKCU\..\Run: [woputoj] c:\windows\nexubyb.exe
O4 - HKCU\..\Run: [esooewk] c:\windows\hyhacch.exe
O4 - HKCU\..\Run: [swcgpew] c:\windows\gvncbmp.exe
O4 - HKCU\..\Run: [awqeqci] c:\windows\lxkbytp.exe
O4 - HKCU\..\Run: [nixvxyu] c:\windows\vlinbll.exe
O4 - HKCU\..\Run: [tcnvwwp] c:\windows\nexubyb.exe
O4 - HKCU\..\Run: [tdxvtos] c:\windows\hyhacch.exe
O4 - HKCU\..\Run: [avdvvuk] c:\windows\gvncbmp.exe
O4 - HKCU\..\Run: [gmxvdiw] c:\windows\lxkbytp.exe
O4 - HKCU\..\Run: [fqpyupd] c:\windows\vlinbll.exe
O4 - HKCU\..\Run: [qojjnhb] c:\windows\nexubyb.exe
O4 - HKCU\..\Run: [iijymys] c:\windows\hyhacch.exe
O4 - HKCU\..\Run: [bndthyy] c:\windows\gvncbmp.exe
O4 - HKCU\..\Run: [cxvycgo] c:\windows\lxkbytp.exe
O4 - HKCU\..\Run: [kqchunu] c:\windows\vlinbll.exe
O4 - HKCU\..\Run: [xgkubnl] c:\windows\nexubyb.exe
O4 - HKCU\..\Run: [yqqyxnx] c:\windows\hyhacch.exe
O4 - HKCU\..\Run: [lvsjgnb] c:\windows\gvncbmp.exe
O4 - HKCU\..\Run: [wpoqsor] c:\windows\lxkbytp.exe
O4 - HKCU\..\Run: [rwccneq] c:\windows\vlinbll.exe
O4 - HKCU\..\Run: [bqxqqbf] c:\windows\nexubyb.exe
O4 - HKCU\..\Run: [mphteqm] c:\windows\hyhacch.exe
O4 - HKCU\..\Run: [kjtetyu] c:\windows\gvncbmp.exe
O4 - HKCU\..\Run: [wevlvru] c:\windows\lxkbytp.exe
O4 - HKCU\..\Run: [jyjruec] c:\windows\vlinbll.exe
O4 - HKCU\..\Run: [sicrjck] c:\windows\nexubyb.exe
O4 - HKCU\..\Run: [etaspto] c:\windows\hyhacch.exe
O4 - HKCU\..\Run: [crurxar] c:\windows\gvncbmp.exe
O4 - HKCU\..\Run: [nfsqapp] c:\windows\lxkbytp.exe
O4 - HKCU\..\Run: [ccswdvb] c:\windows\vlinbll.exe
O4 - HKCU\..\Run: [vqwttch] c:\windows\nexubyb.exe
O4 - HKCU\..\Run: [vxnhhbf] c:\windows\hyhacch.exe
O4 - HKCU\..\Run: [pfbqkin] c:\windows\gvncbmp.exe
O4 - HKCU\..\Run: [igxlyqw] c:\windows\lxkbytp.exe
O4 - HKCU\..\Run: [dkynehm] c:\windows\vlinbll.exe
O4 - HKCU\..\Run: [eojndqy] c:\windows\nexubyb.exe
O4 - HKCU\..\Run: [jgymbyw] c:\windows\hyhacch.exe
O4 - HKCU\..\Run: [fttndyl] c:\windows\gvncbmp.exe
O4 - HKCU\..\Run: [woxohqc] c:\windows\lxkbytp.exe
O4 - HKCU\..\Run: [yjhinxq] c:\windows\vlinbll.exe
O4 - HKCU\..\Run: [qygyvjx] c:\windows\hyhacch.exe
O4 - HKCU\..\Run: [guwklnt] c:\windows\gvncbmp.exe
O4 - HKCU\..\Run: [isjsemk] c:\windows\lxkbytp.exe
O4 - HKCU\..\Run: [dccwyfs] c:\windows\nexubyb.exe
O4 - HKCU\..\Run: [gvskuat] c:\windows\vlinbll.exe
O4 - HKCU\..\Run: [xndssab] c:\windows\hyhacch.exe
O4 - HKCU\..\Run: [snwjtaw] c:\windows\gvncbmp.exe
O4 - HKCU\..\Run: [odjcxyl] c:\windows\lxkbytp.exe
O4 - HKCU\..\Run: [yeuwuau] c:\windows\nexubyb.exe
O4 - HKCU\..\Run: [emdjrun] c:\windows\vlinbll.exe
O4 - HKCU\..\Run: [lrmgbvq] c:\windows\hyhacch.exe
O4 - HKCU\..\Run: [wyvsagt] c:\windows\gvncbmp.exe
O4 - HKCU\..\Run: [xgsmhtk] c:\windows\lxkbytp.exe
O4 - HKCU\..\Run: [bsynjbd] c:\windows\nexubyb.exe
O4 - HKCU\..\Run: [qkptsvi] c:\windows\vlinbll.exe
O4 - HKCU\..\Run: [hygsoyf] c:\windows\hyhacch.exe
O4 - HKCU\..\Run: [cbbevch] c:\windows\gvncbmp.exe
O4 - HKCU\..\Run: [avyvwsk] c:\windows\lxkbytp.exe
O4 - HKCU\..\Run: [jsiyhlh] c:\windows\nexubyb.exe
O4 - HKCU\..\Run: [jubpoah] c:\windows\vlinbll.exe
O4 - HKCU\..\Run: [twcmsic] c:\windows\hyhacch.exe
O4 - HKCU\..\Run: [nbvjfnk] c:\windows\gvncbmp.exe
O4 - HKCU\..\Run: [ysarkrm] c:\windows\lxkbytp.exe
O4 - HKCU\..\Run: [lllykhv] c:\windows\nexubyb.exe
O4 - HKCU\..\Run: [pqpnmbw] c:\windows\vlinbll.exe
O4 - HKCU\..\Run: [jpmqvhq] c:\windows\hyhacch.exe
O4 - HKCU\..\Run: [xaytvea] c:\windows\gvncbmp.exe
O4 - HKCU\..\Run: [vqrjdud] c:\windows\lxkbytp.exe
O4 - HKCU\..\Run: [tvtdecl] c:\windows\nexubyb.exe
O4 - HKCU\..\Run: [yxjldix] c:\windows\vlinbll.exe
O4 - HKCU\..\Run: [biebfow] c:\windows\hyhacch.exe
O4 - HKCU\..\Run: [kcmroad] c:\windows\gvncbmp.exe
O4 - HKCU\..\Run: [wnpwcby] c:\windows\lxkbytp.exe
O4 - HKCU\..\Run: [eaxojen] c:\windows\nexubyb.exe
O4 - HKCU\..\Run: [gxuwmnt] c:\windows\vlinbll.exe
O4 - HKCU\..\Run: [dvsmbyf] c:\windows\hyhacch.exe
O4 - HKCU\..\Run: [omenrsj] c:\windows\gvncbmp.exe
O4 - HKCU\..\Run: [iywhwdi] c:\windows\lxkbytp.exe
O4 - HKCU\..\Run: [krafoqb] c:\windows\nexubyb.exe
O4 - HKCU\..\Run: [kqlhuui] c:\windows\vlinbll.exe
O4 - HKCU\..\Run: [tldamtv] c:\windows\hyhacch.exe
O4 - HKCU\..\Run: [ejnewun] c:\windows\gvncbmp.exe
O4 - HKCU\..\Run: [buuodvt] c:\windows\lxkbytp.exe
O4 - HKCU\..\Run: [haafiuk] c:\windows\nexubyb.exe
O4 - HKCU\..\Run: [vsghwgc] c:\windows\vlinbll.exe
O4 - HKCU\..\Run: [hwfuyro] c:\windows\gvncbmp.exe
O4 - HKCU\..\Run: [kdcdewi] c:\windows\hyhacch.exe
O4 - HKCU\..\Run: [hhklpou] c:\windows\lxkbytp.exe
O4 - HKCU\..\Run: [ougbxyi] c:\windows\nexubyb.exe
O4 - HKCU\..\Run: [ssaiyik] c:\windows\vlinbll.exe
O4 - HKCU\..\Run: [fqipseu] c:\windows\hyhacch.exe
O4 - HKCU\..\Run: [irsqgby] c:\windows\gvncbmp.exe
O4 - HKCU\..\Run: [fvraflb] c:\windows\lxkbytp.exe
O4 - HKCU\..\Run: [asvydrr] c:\windows\nexubyb.exe
O4 - HKCU\..\Run: [egkhncq] c:\windows\vlinbll.exe
O4 - HKCU\..\Run: [jvcxkbj] c:\windows\gvncbmp.exe
O4 - HKCU\..\Run: [curdugk] c:\windows\lxkbytp.exe
O4 - HKCU\..\Run: [tosclcn] c:\windows\nexubyb.exe
O4 - HKCU\..\Run: [fhldejp] c:\windows\vlinbll.exe
O4 - HKCU\..\Run: [yfaypbu] c:\windows\gvncbmp.exe
O4 - HKCU\..\Run: [ilbbmgr] c:\windows\lxkbytp.exe
O4 - HKCU\..\Run: [ogsnwff] c:\windows\nexubyb.exe
O4 - HKCU\..\Run: [uqxnupl] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [cmhtpgy] c:\windows\vjdsgkd.exe
O4 - HKCU\..\Run: [muohayx] c:\windows\myxdfiy.exe
O4 - HKCU\..\Run: [jipakvl] c:\windows\ncragxr.exe
O4 - HKCU\..\Run: [qdygfmy] c:\windows\gthhglg.exe
O4 - HKCU\..\Run: [xyimacm] c:\windows\xmwphyu.exe
O4 - HKCU\..\Run: [qpurmwk] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [kqsjaxo] c:\windows\vjdsgkd.exe
O4 - HKCU\..\Run: [wpvbavg] c:\windows\myxdfiy.exe
O4 - HKCU\..\Run: [eqramxs] c:\windows\ncragxr.exe
O4 - HKCU\..\Run: [xrpqyyw] c:\windows\gthhglg.exe
O4 - HKCU\..\Run: [rrohlab] c:\windows\xmwphyu.exe
O4 - HKCU\..\Run: [ndrxrha] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [ajspwso] c:\windows\vjdsgkd.exe
O4 - HKCU\..\Run: [bvphmvl] c:\windows\myxdfiy.exe
O4 - HKCU\..\Run: [mqugdfe] c:\windows\ncragxr.exe
O4 - HKCU\..\Run: [ywwxiqs] c:\windows\gthhglg.exe
O4 - HKCU\..\Run: [lexpndh] c:\windows\xmwphyu.exe
O4 - HKCU\..\Run: [dfjsgqd] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [yuxgaim] c:\windows\vjdsgkd.exe
O4 - HKCU\..\Run: [hqvgmau] c:\windows\myxdfiy.exe
O4 - HKCU\..\Run: [ujmstav] c:\windows\ncragxr.exe
O4 - HKCU\..\Run: [pxagnqe] c:\windows\gthhglg.exe
O4 - HKCU\..\Run: [lnoshin] c:\windows\xmwphyu.exe
O4 - HKCU\..\Run: [jkiseke] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [chhuvhe] c:\windows\gthhglg.exe
O4 - HKCU\..\Run: [nyqlxie] c:\windows\ncragxr.exe
O4 - HKCU\..\Run: [xrycbje] c:\windows\vjdsgkd.exe
O4 - HKCU\..\Run: [qoydsgf] c:\windows\xmwphyu.exe
O4 - HKCU\..\Run: [yignrie] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [kesvgbr] c:\windows\gthhglg.exe
O4 - HKCU\..\Run: [pwfkkme] c:\windows\ncragxr.exe
O4 - HKCU\..\Run: [upsynwr] c:\windows\vjdsgkd.exe
O4 - HKCU\..\Run: [gmfhcqf] c:\windows\xmwphyu.exe
O4 - HKCU\..\Run: [cqshsit] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [vyngpdd] c:\windows\gthhglg.exe
O4 - HKCU\..\Run: [pfxgqei] c:\windows\ncragxr.exe
O4 - HKCU\..\Run: [jligrgn] c:\windows\vjdsgkd.exe
O4 - HKCU\..\Run: [dsdgobw] c:\windows\xmwphyu.exe
O4 - HKCU\..\Run: [fxioayp] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [lsotgaj] c:\windows\gthhglg.exe
O4 - HKCU\..\Run: [buujnil] c:\windows\ncragxr.exe
O4 - HKCU\..\Run: [pvbytqn] c:\windows\vjdsgkd.exe
O4 - HKCU\..\Run: [wrieaqh] c:\windows\xmwphyu.exe
O4 - HKCU\..\Run: [onspumo] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [ciqflmk] c:\windows\gthhglg.exe
O4 - HKCU\..\Run: [osjrgmu] c:\windows\ncragxr.exe
O4 - HKCU\..\Run: [bdbdame] c:\windows\vjdsgkd.exe
O4 - HKCU\..\Run: [pyysqmb] c:\windows\xmwphyu.exe
O4 - HKCU\..\Run: [ccgwkij] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [eiumuac] c:\windows\gthhglg.exe
O4 - HKCU\..\Run: [upyxrcm] c:\windows\ncragxr.exe
O4 - HKCU\..\Run: [lvdknfx] c:\windows\vjdsgkd.exe
O4 - HKCU\..\Run: [ncqaxwq] c:\windows\xmwphyu.exe
O4 - HKCU\..\Run: [cywnosd] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [ebbnfla] c:\windows\gthhglg.exe
O4 - HKCU\..\Run: [urinqns] c:\windows\ncragxr.exe
O4 - HKCU\..\Run: [lipndpk] c:\windows\vjdsgkd.exe
O4 - HKCU\..\Run: [nktntji] c:\windows\xmwphyu.exe
O4 - HKCU\..\Run: [jvnlxfw] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [qnycuxp] c:\windows\gthhglg.exe
O4 - HKCU\..\Run: [wyvffrj] c:\windows\ncragxr.exe
O4 - HKCU\..\Run: [dkriold] c:\windows\vjdsgkd.exe
O4 - HKCU\..\Run: [kcdylev] c:\windows\xmwphyu.exe
O4 - HKCU\..\Run: [udgsjir] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [yqlrhid] c:\windows\gthhglg.exe
O4 - HKCU\..\Run: [wmbsiaq] c:\windows\ncragxr.exe
O4 - HKCU\..\Run: [viqsjqe] c:\windows\vjdsgkd.exe
O4 - HKCU\..\Run: [auvrhqp] c:\windows\xmwphyu.exe
O4 - HKCU\..\Run: [agkubyt] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [kltjlvx] c:\windows\gthhglg.exe
O4 - HKCU\..\Run: [hsyvyow] c:\windows\ncragxr.exe
O4 - HKCU\..\Run: [daeinhu] c:\windows\vjdsgkd.exe
O4 - HKCU\..\Run: [neowxdy] c:\windows\xmwphyu.exe
O4 - HKCU\..\Run: [gwmovib] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [lxrxuig] c:\windows\gthhglg.exe
O4 - HKCU\..\Run: [ropmuie] c:\windows\ncragxr.exe
O4 - HKCU\..\Run: [ygnavid] c:\windows\vjdsgkd.exe
O4 - HKCU\..\Run: [egtktii] c:\windows\xmwphyu.exe
O4 - HKCU\..\Run: [faifpnj] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [tsysqeg] c:\windows\gthhglg.exe
O4 - HKCU\..\Run: [xmcnyyp] c:\windows\ncragxr.exe
O4 - HKCU\..\Run: [bgfjhsa] c:\windows\vjdsgkd.exe
O4 - HKCU\..\Run: [qyvwijw] c:\windows\xmwphyu.exe
O4 - HKCU\..\Run: [pgruiyt] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [tevjbur] c:\windows\gthhglg.exe
O4 - HKCU\..\Run: [bwdelfs] c:\windows\ncragxr.exe
O4 - HKCU\..\Run: [iokawos] c:\windows\vjdsgkd.exe
O4 - HKCU\..\Run: [nmooplr] c:\windows\xmwphyu.exe
O4 - HKCU\..\Run: [ldesnju] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [ryjvbem] c:\windows\gthhglg.exe
O4 - HKCU\..\Run: [pjymfwx] c:\windows\ncragxr.exe
O4 - HKCU\..\Run: [ntocjqj] c:\windows\vjdsgkd.exe
O4 - HKCU\..\Run: [tptgwlc] c:\windows\xmwphyu.exe
O4 - HKCU\..\Run: [somaany] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [eebwbrp] c:\windows\gthhglg.exe
O4 - HKCU\..\Run: [ayvgjqc] c:\windows\ncragxr.exe
O4 - HKCU\..\Run: [vtrqrpn] c:\windows\vjdsgkd.exe
O4 - HKCU\..\Run: [ijfnsse] c:\windows\xmwphyu.exe
O4 - HKCU\..\Run: [sfjcvir] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [klbkmwl] c:\windows\gthhglg.exe
O4 - HKCU\..\Run: [ejmhhbw] c:\windows\ncragxr.exe
O4 - HKCU\..\Run: [yhxebeh] c:\windows\vjdsgkd.exe
O4 - HKCU\..\Run: [pnpnrsb] c:\windows\xmwphyu.exe
O4 - HKCU\..\Run: [iofxsts] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [vxswcap] c:\windows\gthhglg.exe
O4 - HKCU\..\Run: [reooyxh] c:\windows\ncragxr.exe
O4 - HKCU\..\Run: [mjjgvva] c:\windows\vjdsgkd.exe
O4 - HKCU\..\Run: [bsxffcw] c:\windows\xmwphyu.exe
O4 - HKCU\..\Run: [pspmkeb] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [fvfhbdj] c:\windows\gthhglg.exe
O4 - HKCU\..\Run: [jlrjmeg] c:\windows\ncragxr.exe
O4 - HKCU\..\Run: [mcekyee] c:\windows\vjdsgkd.exe
O4 - HKCU\..\Run: [cfsgodm] c:\windows\xmwphyu.exe
O4 - HKCU\..\Run: [devkcyc] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [gktrgev] c:\windows\gthhglg.exe
O4 - HKCU\..\Run: [niuxekp] c:\windows\ncragxr.exe
O4 - HKCU\..\Run: [ugvedrj] c:\windows\vjdsgkd.exe
O4 - HKCU\..\Run: [ymsmhwd] c:\windows\xmwphyu.exe
O4 - HKCU\..\Run: [ovawiyj] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [mupwtce] c:\windows\gthhglg.exe
O4 - HKCU\..\Run: [eusfprw] c:\windows\ncragxr.exe
O4 - HKCU\..\Run: [vvwoliq] c:\windows\vjdsgkd.exe
O4 - HKCU\..\Run: [ttmnxll] c:\windows\xmwphyu.exe
O4 - HKCU\..\Run: [gdqphem] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [baqcccb] c:\windows\gthhglg.exe
O4 - HKCU\..\Run: [lsihedf] c:\windows\ncragxr.exe
O4 - HKCU\..\Run: [vkylfdj] c:\windows\vjdsgkd.exe
O4 - HKCU\..\Run: [qhaxbbx] c:\windows\xmwphyu.exe
O4 - HKCU\..\Run: [emtrpio] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [ijpxtvi] c:\windows\gthhglg.exe
O4 - HKCU\..\Run: [xkinbas] c:\windows\ncragxr.exe
O4 - HKCU\..\Run: [olbcied] c:\windows\vjdsgkd.exe
O4 - HKCU\..\Run: [rjwjnqw] c:\windows\xmwphyu.exe
O4 - HKCU\..\Run: [jnykoyy] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [loshobn] c:\windows\gthhglg.exe
O4 - HKCU\..\Run: [rosirle] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [takqceh] c:\windows\hsikliw.exe
O4 - HKCU\..\Run: [uwcuwvd] c:\windows\hsikliw.exe
O4 - HKCU\..\Run: [mssgaae] c:\windows\hsikliw.exe
O4 - HKCU\..\Run: [asxoglk] c:\windows\hsikliw.exe
O4 - HKCU\..\Run: [vldmbsy] c:\windows\hsikliw.exe
O4 - HKCU\..\Run: [oxbekyh] c:\windows\hsikliw.exe
O4 - HKCU\..\Run: [xixxnra] c:\windows\hsikliw.exe
O4 - HKCU\..\Run: [wxxbxjx] c:\windows\hsikliw.exe
O4 - HKCU\..\Run: [gcuhwai] c:\windows\fhnmtpn.exe
O4 - HKCU\..\Run: [ldbrwld] c:\windows\fhnmtpn.exe
O4 - HKCU\..\Run: [pvfkurh] c:\windows\hubachw.exe
O4 - HKCU\..\Run: [fnwwkxi] c:\windows\qfgpcib.exe
O4 - HKCU\..\Run: [wroqphu] c:\windows\ymqhcul.exe
O4 - HKCU\..\Run: [ibveabu] c:\windows\pcmrbsi.exe
O4 - HKCU\..\Run: [uyicasb] c:\windows\hubachw.exe
O4 - HKCU\..\Run: [iagjytj] c:\windows\qfgpcib.exe
O4 - HKCU\..\Run: [oahsmtf] c:\windows\ymqhcul.exe
O4 - HKCU\..\Run: [cykknrw] c:\windows\pcmrbsi.exe
O4 - HKCU\..\Run: [aysvkga] c:\windows\hubachw.exe
O4 - HKCU\..\Run: [ynveudd] c:\windows\qfgpcib.exe
O4 - HKCU\..\Run: [mgtnpro] c:\windows\ymqhcul.exe
O4 - HKCU\..\Run: [nsqfftk] c:\windows\pcmrbsi.exe
O4 - HKCU\..\Run: [eglwfig] c:\windows\hubachw.exe
O4 - HKCU\..\Run: [vjnwsrx] c:\windows\qfgpcib.exe
O4 - HKCU\..\Run: [auajyao] c:\windows\ymqhcul.exe
O4 - HKCU\..\Run: [iqxklrw] c:\windows\pcmrbsi.exe
O4 - HKCU\..\Run: [bdlgnhe] c:\windows\hubachw.exe
O4 - HKCU\..\Run: [estxife] c:\windows\qfgpcib.exe
O4 - HKCU\..\Run: [pkdplge] c:\windows\ymqhcul.exe
O4 - HKCU\..\Run: [lvuwqid] c:\windows\pcmrbsi.exe
O4 - HKCU\..\Run: [knkotev] c:\windows\hubachw.exe
O4 - HKCU\..\Run: [bcjlmiv] c:\windows\qfgpcib.exe
O4 - HKCU\..\Run: [guwaqti] c:\windows\ymqhcul.exe
O4 - HKCU\..\Run: [pgwdxpi] c:\windows\pcmrbsi.exe
O4 - HKCU\..\Run: [nygbmlg] c:\windows\hubachw.exe
O4 - HKCU\..\Run: [amlbkhv] c:\windows\qfgpcib.exe
O4 - HKCU\..\Run: [tsvbljb] c:\windows\ymqhcul.exe
O4 - HKCU\..\Run: [gfqbnnm] c:\windows\pcmrbsi.exe
O4 - HKCU\..\Run: [mwigorm] c:\windows\hubachw.exe
O4 - HKCU\..\Run: [itubbbh] c:\windows\qfgpcib.exe
O4 - HKCU\..\Run: [wvcqijj] c:\windows\ymqhcul.exe
O4 - HKCU\..\Run: [byovvao] c:\windows\pcmrbsi.exe
O4 - HKCU\..\Run: [gtimubj] c:\windows\hubachw.exe
O4 - HKCU\..\Run: [haxngbp] c:\windows\qfgpcib.exe
O4 - HKCU\..\Run: [tkpabby] c:\windows\ymqhcul.exe
O4 - HKCU\..\Run: [teaxpbs] c:\windows\pcmrbsi.exe
O4 - HKCU\..\Run: [rvvatvd] c:\windows\hubachw.exe
O4 - HKCU\..\Run: [kincaqg] c:\windows\qfgpcib.exe
O4 - HKCU\..\Run: [bornwtr] c:\windows\ymqhcul.exe
O4 - HKCU\..\Run: [icampyo] c:\windows\pcmrbsi.exe
O4 - HKCU\..\Run: [hukltbo] c:\windows\jjeqqrd.exe
O4 - HKCU\..\Run: [ilejmtj] c:\windows\tptarsx.exe
O4 - HKCU\..\Run: [xbjhwac] c:\windows\tptarsx.exe
O4 - HKCU\..\Run: [pmueeil] c:\windows\tptarsx.exe
O4 - HKCU\..\Run: [qiggpfw] c:\windows\yxynmea.exe
O4 - HKCU\..\Run: [svyhxhr] c:\windows\yxynmea.exe
O4 - HKCU\..\Run: [wvobgkh] c:\windows\unefndt.exe
O4 - HKCU\..\Run: [xraothv] c:\windows\xycffls.exe
O4 - HKCU\..\Run: [vdnyfkw] c:\windows\xycffls.exe
O4 - HKCU\..\Run: [vtckmaf] c:\windows\xycffls.exe
O4 - HKCU\..\Run: [fmnfyay] c:\windows\wbrqucf.exe
O4 - HKCU\..\Run: [pnbnijs] c:\windows\yialagd.exe
O4 - HKCU\..\Run: [cyolqwt] c:\windows\yialagd.exe
O4 - HKCU\..\Run: [rcdlaps] c:\windows\yialagd.exe
O4 - HKCU\..\Run: [uriuofa] c:\windows\yialagd.exe
O4 - HKCU\..\Run: [fdsfdnf] c:\windows\hmghfli.exe
O4 - HKCU\..\Run: [vvghxga] c:\windows\ohgfdun.exe
O4 - HKCU\..\Run: [oawbdpm] c:\windows\woqxdhy.exe
O4 - HKCU\..\Run: [dsyyefn] c:\windows\sgjvfqs.exe
O4 - HKCU\..\Run: [yquecab] c:\windows\aiujoqx.exe
O4 - HKCU\..\Run: [hbdhxam] c:\windows\dneuckt.exe
O4 - HKCU\..\Run: [rxqpnvp] c:\windows\dneuckt.exe
O4 - HKCU\..\Run: [nsuaqse] c:\windows\dneuckt.exe
O4 - HKCU\..\Run: [utrryxd] c:\windows\dneuckt.exe
O4 - HKCU\..\Run: [repkyig] c:\windows\egwsltp.exe
O4 - HKCU\..\Run: [dncmlhr] c:\windows\egwsltp.exe
O4 - Startup: eTomi Pro On Startup.lnk = C:\Program Files\eTomiPro\Gui\etomipro.exe
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: M-Audio MobilePre Control Panel Launcher.lnk = C:\Program Files\M-Audio MobilePre\MPTask.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: TELUS eCare.lnk = C:\Program Files\TELUS eCare\bin\matcli.exe
O8 - Extra context menu item: &Google Search - res://c:\program files\google\GoogleToolbar2.dll/cmsearch.html
O8 - Extra context menu item: Backward Links - res://c:\program files\google\GoogleToolbar2.dll/cmbacklinks.html
O8 - Extra context menu item: Cached Snapshot of Page - res://c:\program files\google\GoogleToolbar2.dll/cmcache.html
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office10\EXCEL.EXE/3000
O8 - Extra context menu item: Similar Pages - res://c:\program files\google\GoogleToolbar2.dll/cmsimilar.html
O8 - Extra context menu item: Translate into English - res://c:\program files\google\GoogleToolbar2.dll/cmtrans.html
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.5.0_01\bin\npjpi150_01.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Microsoft AntiSpyware helper - {A90DEC04-8C3B-46CB-BCDE-DE6E35AD9654} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A90DEC04-8C3B-46CB-BCDE-DE6E35AD9654} - (no file) (HKCU)
O16 - DPF: {4602AE28-0E46-320B-EFD9-00364F496251} - http://69.50.182.94/1/rdgCA1882.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...tzip/RdxIE6.cab
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093371035858
O16 - DPF: {76947A08-DFBC-48F3-977F-5612E575B6B1} - https://cesium.ab.ta...gi-bin/oca2.cgi
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O16 - DPF: {DBB177CC-6908-4B53-9BEE-F1C697818D65} (QuickBooks Online Edition Utilities Class v4a) - https://accounting.q...167/qboax4a.cab
O21 - SSODL: Client Access - {61704116-D71B-45F9-86FC-35764D9D79A6} - C:\WINDOWS\system32\winttxex.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: MobilePre Installer (MobilePreInstallerService) - Nemesis - C:\Program Files\M-Audio MobilePre\Install\MPInst.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe

Edited by ewallen, 05 May 2005 - 10:33 PM.

  • 0

#8
Metallica
Posted 12 May 2005 - 02:53 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
The first thing I'd like to do is to make your log a bit better readable.

Download and Save Spywadfix to your computer from this link:
http://www.thespykil...s/spywadfix.exe

It will automatically extract to c:\spywad where it needs to be to run and will automatically open the remove spywad.vbs script for you ready to paste in the line mentioned below.
If you have script blocking enabled you will get a warning about a malicious script wanting to run. Please allow this script to run.

It is not malicious.
It will open an Input box. Paste this line into the box

c:\windows\nxfmmlr.exe

The script will kill that process, backup and then delete any matching files in System32 and your Windows Directory. It will create a log of all files deleted. This log file will be named Spywad.txt and be located inside the C:\Spywad Folder. The backups will also be located in two subfolders there. One named Systems and the other named Window.

The script will search the Windows Directory and delete desktop.html and popup.html if they exist. It will add entries to the log if these files are found and deleted.

It will then kill Explorer. You will lose your taskbar and desktop. It will repair the registry entries returning your windows default desktop and context menu functions.
It will restart Explorer.

** Script Does not remove the orphaned run entries.

Finally, it will Run hijackthis so that you can remove the orphaned run entries and anything else as instructed by your Advisor on the forums.

If hijackthis doesn't start, run it manually.

--------------------------
When finished, post the contents of Spywad.txt and a new Hijackthis log.

Check the following items in HijackThis.
Close all windows except HijackThis and click Fix checked:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://w-find.com/index.htm
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = http://w-find.com/index.htm
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = http://w-find.com/sp.htm
R1 - HKCU\Software\Microsoft\Internet Explorer\SearchURL,(Default) = http://w-find.com/index.htm

O2 - BHO: (no name) - {0AD937E7-2F37-4873-A05E-548A67EF1D0E} - (no file)

O2 - BHO: FlashEnhancer Extnder - {A749B4BC-7621-4a80-9220-D0A283367DD5} - c:\Program Files\Fln\fln.dll

O4 - HKLM\..\Run: [FlnCPY] "C:\Program Files\Common Files\Java\flncpy.exe"

O4 - HKCU\..\Run: [tbilnve] c:\windows\nxfmmlr.exe
O4 - HKCU\..\Run: [sllajfa] c:\windows\chsncwr.exe
O4 - HKCU\..\Run: [syagate] c:\windows\chsncwr.exe
O4 - HKCU\..\Run: [pxkjddv] c:\windows\chsncwr.exe
O4 - HKCU\..\Run: [tvxkjvy] c:\windows\chsncwr.exe
O4 - HKCU\..\Run: [jawtrly] c:\windows\chsncwr.exe
O4 - HKCU\..\Run: [wvljwte] c:\windows\chsncwr.exe
O4 - HKCU\..\Run: [fkyouob] c:\windows\chsncwr.exe
O4 - HKCU\..\Run: [tianepy] c:\windows\chsncwr.exe
O4 - HKCU\..\Run: [tuvyede] c:\windows\pxrhrsg.exe
O4 - HKCU\..\Run: [fbqhavo] c:\windows\pxrhrsg.exe
O4 - HKCU\..\Run: [wkssyor] c:\windows\pxrhrsg.exe
O4 - HKCU\..\Run: [iqpsdij] c:\windows\pxrhrsg.exe
O4 - HKCU\..\Run: [wyblnea] c:\windows\pxrhrsg.exe
O4 - HKCU\..\Run: [wasjflv] c:\windows\pxrhrsg.exe
O4 - HKCU\..\Run: [mywrfwm] c:\windows\pxrhrsg.exe
O4 - HKCU\..\Run: [YBopRPJ7g] hhsortreader.exe
O4 - HKCU\..\Run: [snstpjr] c:\windows\pxrhrsg.exe
O4 - HKCU\..\Run: [cjusxdo] c:\windows\pxrhrsg.exe
O4 - HKCU\..\Run: [nfqnmwr] c:\windows\pxrhrsg.exe
O4 - HKCU\..\Run: [gxskalj] c:\windows\pxrhrsg.exe
O4 - HKCU\..\Run: [owyilrq] c:\windows\pxrhrsg.exe
O4 - HKCU\..\Run: [fdlrcxp] c:\windows\pxrhrsg.exe
O4 - HKCU\..\Run: [bqpbqnm] c:\windows\pxrhrsg.exe
O4 - HKCU\..\Run: [pdvaasn] c:\windows\pxrhrsg.exe
O4 - HKCU\..\Run: [fpbkjyj] c:\windows\pxrhrsg.exe
O4 - HKCU\..\Run: [clgjtrp] c:\windows\pxrhrsg.exe
O4 - HKCU\..\Run: [kwlsnlx] c:\windows\pxrhrsg.exe
O4 - HKCU\..\Run: [blaootq] c:\windows\pxrhrsg.exe
O4 - HKCU\..\Run: [mhxbfin] c:\windows\pxrhrsg.exe
O4 - HKCU\..\Run: [onwusfw] c:\windows\pxrhrsg.exe
O4 - HKCU\..\Run: [eqvueyn] c:\windows\pxrhrsg.exe
O4 - HKCU\..\Run: [siitbqo] c:\windows\apeyrab.exe
O4 - HKCU\..\Run: [kakytle] c:\windows\vlinbll.exe
O4 - HKCU\..\Run: [yrcljrf] c:\windows\gvncbmp.exe
O4 - HKCU\..\Run: [rvsfobr] c:\windows\nexubyb.exe
O4 - HKCU\..\Run: [veeetos] c:\windows\hyhacch.exe
O4 - HKCU\..\Run: [yvqttiq] c:\windows\lxkbytp.exe
O4 - HKCU\..\Run: [vrmckkq] c:\windows\vlinbll.exe
O4 - HKCU\..\Run: [jrjkjmy] c:\windows\gvncbmp.exe
O4 - HKCU\..\Run: [prltwlu] c:\windows\nexubyb.exe
O4 - HKCU\..\Run: [qtfivok] c:\windows\hyhacch.exe
O4 - HKCU\..\Run: [cpuvyhv] c:\windows\lxkbytp.exe
O4 - HKCU\..\Run: [aryywco] c:\windows\vlinbll.exe
O4 - HKCU\..\Run: [yfchhys] c:\windows\gvncbmp.exe
O4 - HKCU\..\Run: [mybpcnd] c:\windows\nexubyb.exe
O4 - HKCU\..\Run: [kahhxik] c:\windows\hyhacch.exe
O4 - HKCU\..\Run: [pjpquus] c:\windows\lxkbytp.exe
O4 - HKCU\..\Run: [sfhhilm] c:\windows\vlinbll.exe
O4 - HKCU\..\Run: [nuvucdv] c:\windows\nexubyb.exe
O4 - HKCU\..\Run: [wcatetf] c:\windows\hyhacch.exe
O4 - HKCU\..\Run: [jjkhvue] c:\windows\gvncbmp.exe
O4 - HKCU\..\Run: [ojoundt] c:\windows\lxkbytp.exe
O4 - HKCU\..\Run: [dvtknmj] c:\windows\vlinbll.exe
O4 - HKCU\..\Run: [rektklj] c:\windows\nexubyb.exe
O4 - HKCU\..\Run: [aibeyhj] c:\windows\hyhacch.exe
O4 - HKCU\..\Run: [hlcdhkj] c:\windows\gvncbmp.exe
O4 - HKCU\..\Run: [gkmqbri] c:\windows\lxkbytp.exe
O4 - HKCU\..\Run: [chcjwav] c:\windows\vlinbll.exe
O4 - HKCU\..\Run: [woputoj] c:\windows\nexubyb.exe
O4 - HKCU\..\Run: [esooewk] c:\windows\hyhacch.exe
O4 - HKCU\..\Run: [swcgpew] c:\windows\gvncbmp.exe
O4 - HKCU\..\Run: [awqeqci] c:\windows\lxkbytp.exe
O4 - HKCU\..\Run: [nixvxyu] c:\windows\vlinbll.exe
O4 - HKCU\..\Run: [tcnvwwp] c:\windows\nexubyb.exe
O4 - HKCU\..\Run: [tdxvtos] c:\windows\hyhacch.exe
O4 - HKCU\..\Run: [avdvvuk] c:\windows\gvncbmp.exe
O4 - HKCU\..\Run: [gmxvdiw] c:\windows\lxkbytp.exe
O4 - HKCU\..\Run: [fqpyupd] c:\windows\vlinbll.exe
O4 - HKCU\..\Run: [qojjnhb] c:\windows\nexubyb.exe
O4 - HKCU\..\Run: [iijymys] c:\windows\hyhacch.exe
O4 - HKCU\..\Run: [bndthyy] c:\windows\gvncbmp.exe
O4 - HKCU\..\Run: [cxvycgo] c:\windows\lxkbytp.exe
O4 - HKCU\..\Run: [kqchunu] c:\windows\vlinbll.exe
O4 - HKCU\..\Run: [xgkubnl] c:\windows\nexubyb.exe
O4 - HKCU\..\Run: [yqqyxnx] c:\windows\hyhacch.exe
O4 - HKCU\..\Run: [lvsjgnb] c:\windows\gvncbmp.exe
O4 - HKCU\..\Run: [wpoqsor] c:\windows\lxkbytp.exe
O4 - HKCU\..\Run: [rwccneq] c:\windows\vlinbll.exe
O4 - HKCU\..\Run: [bqxqqbf] c:\windows\nexubyb.exe
O4 - HKCU\..\Run: [mphteqm] c:\windows\hyhacch.exe
O4 - HKCU\..\Run: [kjtetyu] c:\windows\gvncbmp.exe
O4 - HKCU\..\Run: [wevlvru] c:\windows\lxkbytp.exe
O4 - HKCU\..\Run: [jyjruec] c:\windows\vlinbll.exe
O4 - HKCU\..\Run: [sicrjck] c:\windows\nexubyb.exe
O4 - HKCU\..\Run: [etaspto] c:\windows\hyhacch.exe
O4 - HKCU\..\Run: [crurxar] c:\windows\gvncbmp.exe
O4 - HKCU\..\Run: [nfsqapp] c:\windows\lxkbytp.exe
O4 - HKCU\..\Run: [ccswdvb] c:\windows\vlinbll.exe
O4 - HKCU\..\Run: [vqwttch] c:\windows\nexubyb.exe
O4 - HKCU\..\Run: [vxnhhbf] c:\windows\hyhacch.exe
O4 - HKCU\..\Run: [pfbqkin] c:\windows\gvncbmp.exe
O4 - HKCU\..\Run: [igxlyqw] c:\windows\lxkbytp.exe
O4 - HKCU\..\Run: [dkynehm] c:\windows\vlinbll.exe
O4 - HKCU\..\Run: [eojndqy] c:\windows\nexubyb.exe
O4 - HKCU\..\Run: [jgymbyw] c:\windows\hyhacch.exe
O4 - HKCU\..\Run: [fttndyl] c:\windows\gvncbmp.exe
O4 - HKCU\..\Run: [woxohqc] c:\windows\lxkbytp.exe
O4 - HKCU\..\Run: [yjhinxq] c:\windows\vlinbll.exe
O4 - HKCU\..\Run: [qygyvjx] c:\windows\hyhacch.exe
O4 - HKCU\..\Run: [guwklnt] c:\windows\gvncbmp.exe
O4 - HKCU\..\Run: [isjsemk] c:\windows\lxkbytp.exe
O4 - HKCU\..\Run: [dccwyfs] c:\windows\nexubyb.exe
O4 - HKCU\..\Run: [gvskuat] c:\windows\vlinbll.exe
O4 - HKCU\..\Run: [xndssab] c:\windows\hyhacch.exe
O4 - HKCU\..\Run: [snwjtaw] c:\windows\gvncbmp.exe
O4 - HKCU\..\Run: [odjcxyl] c:\windows\lxkbytp.exe
O4 - HKCU\..\Run: [yeuwuau] c:\windows\nexubyb.exe
O4 - HKCU\..\Run: [emdjrun] c:\windows\vlinbll.exe
O4 - HKCU\..\Run: [lrmgbvq] c:\windows\hyhacch.exe
O4 - HKCU\..\Run: [wyvsagt] c:\windows\gvncbmp.exe
O4 - HKCU\..\Run: [xgsmhtk] c:\windows\lxkbytp.exe
O4 - HKCU\..\Run: [bsynjbd] c:\windows\nexubyb.exe
O4 - HKCU\..\Run: [qkptsvi] c:\windows\vlinbll.exe
O4 - HKCU\..\Run: [hygsoyf] c:\windows\hyhacch.exe
O4 - HKCU\..\Run: [cbbevch] c:\windows\gvncbmp.exe
O4 - HKCU\..\Run: [avyvwsk] c:\windows\lxkbytp.exe
O4 - HKCU\..\Run: [jsiyhlh] c:\windows\nexubyb.exe
O4 - HKCU\..\Run: [jubpoah] c:\windows\vlinbll.exe
O4 - HKCU\..\Run: [twcmsic] c:\windows\hyhacch.exe
O4 - HKCU\..\Run: [nbvjfnk] c:\windows\gvncbmp.exe
O4 - HKCU\..\Run: [ysarkrm] c:\windows\lxkbytp.exe
O4 - HKCU\..\Run: [lllykhv] c:\windows\nexubyb.exe
O4 - HKCU\..\Run: [pqpnmbw] c:\windows\vlinbll.exe
O4 - HKCU\..\Run: [jpmqvhq] c:\windows\hyhacch.exe
O4 - HKCU\..\Run: [xaytvea] c:\windows\gvncbmp.exe
O4 - HKCU\..\Run: [vqrjdud] c:\windows\lxkbytp.exe
O4 - HKCU\..\Run: [tvtdecl] c:\windows\nexubyb.exe
O4 - HKCU\..\Run: [yxjldix] c:\windows\vlinbll.exe
O4 - HKCU\..\Run: [biebfow] c:\windows\hyhacch.exe
O4 - HKCU\..\Run: [kcmroad] c:\windows\gvncbmp.exe
O4 - HKCU\..\Run: [wnpwcby] c:\windows\lxkbytp.exe
O4 - HKCU\..\Run: [eaxojen] c:\windows\nexubyb.exe
O4 - HKCU\..\Run: [gxuwmnt] c:\windows\vlinbll.exe
O4 - HKCU\..\Run: [dvsmbyf] c:\windows\hyhacch.exe
O4 - HKCU\..\Run: [omenrsj] c:\windows\gvncbmp.exe
O4 - HKCU\..\Run: [iywhwdi] c:\windows\lxkbytp.exe
O4 - HKCU\..\Run: [krafoqb] c:\windows\nexubyb.exe
O4 - HKCU\..\Run: [kqlhuui] c:\windows\vlinbll.exe
O4 - HKCU\..\Run: [tldamtv] c:\windows\hyhacch.exe
O4 - HKCU\..\Run: [ejnewun] c:\windows\gvncbmp.exe
O4 - HKCU\..\Run: [buuodvt] c:\windows\lxkbytp.exe
O4 - HKCU\..\Run: [haafiuk] c:\windows\nexubyb.exe
O4 - HKCU\..\Run: [vsghwgc] c:\windows\vlinbll.exe
O4 - HKCU\..\Run: [hwfuyro] c:\windows\gvncbmp.exe
O4 - HKCU\..\Run: [kdcdewi] c:\windows\hyhacch.exe
O4 - HKCU\..\Run: [hhklpou] c:\windows\lxkbytp.exe
O4 - HKCU\..\Run: [ougbxyi] c:\windows\nexubyb.exe
O4 - HKCU\..\Run: [ssaiyik] c:\windows\vlinbll.exe
O4 - HKCU\..\Run: [fqipseu] c:\windows\hyhacch.exe
O4 - HKCU\..\Run: [irsqgby] c:\windows\gvncbmp.exe
O4 - HKCU\..\Run: [fvraflb] c:\windows\lxkbytp.exe
O4 - HKCU\..\Run: [asvydrr] c:\windows\nexubyb.exe
O4 - HKCU\..\Run: [egkhncq] c:\windows\vlinbll.exe
O4 - HKCU\..\Run: [jvcxkbj] c:\windows\gvncbmp.exe
O4 - HKCU\..\Run: [curdugk] c:\windows\lxkbytp.exe
O4 - HKCU\..\Run: [tosclcn] c:\windows\nexubyb.exe
O4 - HKCU\..\Run: [fhldejp] c:\windows\vlinbll.exe
O4 - HKCU\..\Run: [yfaypbu] c:\windows\gvncbmp.exe
O4 - HKCU\..\Run: [ilbbmgr] c:\windows\lxkbytp.exe
O4 - HKCU\..\Run: [ogsnwff] c:\windows\nexubyb.exe
O4 - HKCU\..\Run: [uqxnupl] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [cmhtpgy] c:\windows\vjdsgkd.exe
O4 - HKCU\..\Run: [muohayx] c:\windows\myxdfiy.exe
O4 - HKCU\..\Run: [jipakvl] c:\windows\ncragxr.exe
O4 - HKCU\..\Run: [qdygfmy] c:\windows\gthhglg.exe
O4 - HKCU\..\Run: [xyimacm] c:\windows\xmwphyu.exe
O4 - HKCU\..\Run: [qpurmwk] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [kqsjaxo] c:\windows\vjdsgkd.exe
O4 - HKCU\..\Run: [wpvbavg] c:\windows\myxdfiy.exe
O4 - HKCU\..\Run: [eqramxs] c:\windows\ncragxr.exe
O4 - HKCU\..\Run: [xrpqyyw] c:\windows\gthhglg.exe
O4 - HKCU\..\Run: [rrohlab] c:\windows\xmwphyu.exe
O4 - HKCU\..\Run: [ndrxrha] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [ajspwso] c:\windows\vjdsgkd.exe
O4 - HKCU\..\Run: [bvphmvl] c:\windows\myxdfiy.exe
O4 - HKCU\..\Run: [mqugdfe] c:\windows\ncragxr.exe
O4 - HKCU\..\Run: [ywwxiqs] c:\windows\gthhglg.exe
O4 - HKCU\..\Run: [lexpndh] c:\windows\xmwphyu.exe
O4 - HKCU\..\Run: [dfjsgqd] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [yuxgaim] c:\windows\vjdsgkd.exe
O4 - HKCU\..\Run: [hqvgmau] c:\windows\myxdfiy.exe
O4 - HKCU\..\Run: [ujmstav] c:\windows\ncragxr.exe
O4 - HKCU\..\Run: [pxagnqe] c:\windows\gthhglg.exe
O4 - HKCU\..\Run: [lnoshin] c:\windows\xmwphyu.exe
O4 - HKCU\..\Run: [jkiseke] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [chhuvhe] c:\windows\gthhglg.exe
O4 - HKCU\..\Run: [nyqlxie] c:\windows\ncragxr.exe
O4 - HKCU\..\Run: [xrycbje] c:\windows\vjdsgkd.exe
O4 - HKCU\..\Run: [qoydsgf] c:\windows\xmwphyu.exe
O4 - HKCU\..\Run: [yignrie] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [kesvgbr] c:\windows\gthhglg.exe
O4 - HKCU\..\Run: [pwfkkme] c:\windows\ncragxr.exe
O4 - HKCU\..\Run: [upsynwr] c:\windows\vjdsgkd.exe
O4 - HKCU\..\Run: [gmfhcqf] c:\windows\xmwphyu.exe
O4 - HKCU\..\Run: [cqshsit] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [vyngpdd] c:\windows\gthhglg.exe
O4 - HKCU\..\Run: [pfxgqei] c:\windows\ncragxr.exe
O4 - HKCU\..\Run: [jligrgn] c:\windows\vjdsgkd.exe
O4 - HKCU\..\Run: [dsdgobw] c:\windows\xmwphyu.exe
O4 - HKCU\..\Run: [fxioayp] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [lsotgaj] c:\windows\gthhglg.exe
O4 - HKCU\..\Run: [buujnil] c:\windows\ncragxr.exe
O4 - HKCU\..\Run: [pvbytqn] c:\windows\vjdsgkd.exe
O4 - HKCU\..\Run: [wrieaqh] c:\windows\xmwphyu.exe
O4 - HKCU\..\Run: [onspumo] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [ciqflmk] c:\windows\gthhglg.exe
O4 - HKCU\..\Run: [osjrgmu] c:\windows\ncragxr.exe
O4 - HKCU\..\Run: [bdbdame] c:\windows\vjdsgkd.exe
O4 - HKCU\..\Run: [pyysqmb] c:\windows\xmwphyu.exe
O4 - HKCU\..\Run: [ccgwkij] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [eiumuac] c:\windows\gthhglg.exe
O4 - HKCU\..\Run: [upyxrcm] c:\windows\ncragxr.exe
O4 - HKCU\..\Run: [lvdknfx] c:\windows\vjdsgkd.exe
O4 - HKCU\..\Run: [ncqaxwq] c:\windows\xmwphyu.exe
O4 - HKCU\..\Run: [cywnosd] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [ebbnfla] c:\windows\gthhglg.exe
O4 - HKCU\..\Run: [urinqns] c:\windows\ncragxr.exe
O4 - HKCU\..\Run: [lipndpk] c:\windows\vjdsgkd.exe
O4 - HKCU\..\Run: [nktntji] c:\windows\xmwphyu.exe
O4 - HKCU\..\Run: [jvnlxfw] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [qnycuxp] c:\windows\gthhglg.exe
O4 - HKCU\..\Run: [wyvffrj] c:\windows\ncragxr.exe
O4 - HKCU\..\Run: [dkriold] c:\windows\vjdsgkd.exe
O4 - HKCU\..\Run: [kcdylev] c:\windows\xmwphyu.exe
O4 - HKCU\..\Run: [udgsjir] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [yqlrhid] c:\windows\gthhglg.exe
O4 - HKCU\..\Run: [wmbsiaq] c:\windows\ncragxr.exe
O4 - HKCU\..\Run: [viqsjqe] c:\windows\vjdsgkd.exe
O4 - HKCU\..\Run: [auvrhqp] c:\windows\xmwphyu.exe
O4 - HKCU\..\Run: [agkubyt] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [kltjlvx] c:\windows\gthhglg.exe
O4 - HKCU\..\Run: [hsyvyow] c:\windows\ncragxr.exe
O4 - HKCU\..\Run: [daeinhu] c:\windows\vjdsgkd.exe
O4 - HKCU\..\Run: [neowxdy] c:\windows\xmwphyu.exe
O4 - HKCU\..\Run: [gwmovib] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [lxrxuig] c:\windows\gthhglg.exe
O4 - HKCU\..\Run: [ropmuie] c:\windows\ncragxr.exe
O4 - HKCU\..\Run: [ygnavid] c:\windows\vjdsgkd.exe
O4 - HKCU\..\Run: [egtktii] c:\windows\xmwphyu.exe
O4 - HKCU\..\Run: [faifpnj] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [tsysqeg] c:\windows\gthhglg.exe
O4 - HKCU\..\Run: [xmcnyyp] c:\windows\ncragxr.exe
O4 - HKCU\..\Run: [bgfjhsa] c:\windows\vjdsgkd.exe
O4 - HKCU\..\Run: [qyvwijw] c:\windows\xmwphyu.exe
O4 - HKCU\..\Run: [pgruiyt] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [tevjbur] c:\windows\gthhglg.exe
O4 - HKCU\..\Run: [bwdelfs] c:\windows\ncragxr.exe
O4 - HKCU\..\Run: [iokawos] c:\windows\vjdsgkd.exe
O4 - HKCU\..\Run: [nmooplr] c:\windows\xmwphyu.exe
O4 - HKCU\..\Run: [ldesnju] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [ryjvbem] c:\windows\gthhglg.exe
O4 - HKCU\..\Run: [pjymfwx] c:\windows\ncragxr.exe
O4 - HKCU\..\Run: [ntocjqj] c:\windows\vjdsgkd.exe
O4 - HKCU\..\Run: [tptgwlc] c:\windows\xmwphyu.exe
O4 - HKCU\..\Run: [somaany] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [eebwbrp] c:\windows\gthhglg.exe
O4 - HKCU\..\Run: [ayvgjqc] c:\windows\ncragxr.exe
O4 - HKCU\..\Run: [vtrqrpn] c:\windows\vjdsgkd.exe
O4 - HKCU\..\Run: [ijfnsse] c:\windows\xmwphyu.exe
O4 - HKCU\..\Run: [sfjcvir] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [klbkmwl] c:\windows\gthhglg.exe
O4 - HKCU\..\Run: [ejmhhbw] c:\windows\ncragxr.exe
O4 - HKCU\..\Run: [yhxebeh] c:\windows\vjdsgkd.exe
O4 - HKCU\..\Run: [pnpnrsb] c:\windows\xmwphyu.exe
O4 - HKCU\..\Run: [iofxsts] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [vxswcap] c:\windows\gthhglg.exe
O4 - HKCU\..\Run: [reooyxh] c:\windows\ncragxr.exe
O4 - HKCU\..\Run: [mjjgvva] c:\windows\vjdsgkd.exe
O4 - HKCU\..\Run: [bsxffcw] c:\windows\xmwphyu.exe
O4 - HKCU\..\Run: [pspmkeb] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [fvfhbdj] c:\windows\gthhglg.exe
O4 - HKCU\..\Run: [jlrjmeg] c:\windows\ncragxr.exe
O4 - HKCU\..\Run: [mcekyee] c:\windows\vjdsgkd.exe
O4 - HKCU\..\Run: [cfsgodm] c:\windows\xmwphyu.exe
O4 - HKCU\..\Run: [devkcyc] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [gktrgev] c:\windows\gthhglg.exe
O4 - HKCU\..\Run: [niuxekp] c:\windows\ncragxr.exe
O4 - HKCU\..\Run: [ugvedrj] c:\windows\vjdsgkd.exe
O4 - HKCU\..\Run: [ymsmhwd] c:\windows\xmwphyu.exe
O4 - HKCU\..\Run: [ovawiyj] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [mupwtce] c:\windows\gthhglg.exe
O4 - HKCU\..\Run: [eusfprw] c:\windows\ncragxr.exe
O4 - HKCU\..\Run: [vvwoliq] c:\windows\vjdsgkd.exe
O4 - HKCU\..\Run: [ttmnxll] c:\windows\xmwphyu.exe
O4 - HKCU\..\Run: [gdqphem] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [baqcccb] c:\windows\gthhglg.exe
O4 - HKCU\..\Run: [lsihedf] c:\windows\ncragxr.exe
O4 - HKCU\..\Run: [vkylfdj] c:\windows\vjdsgkd.exe
O4 - HKCU\..\Run: [qhaxbbx] c:\windows\xmwphyu.exe
O4 - HKCU\..\Run: [emtrpio] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [ijpxtvi] c:\windows\gthhglg.exe
O4 - HKCU\..\Run: [xkinbas] c:\windows\ncragxr.exe
O4 - HKCU\..\Run: [olbcied] c:\windows\vjdsgkd.exe
O4 - HKCU\..\Run: [rjwjnqw] c:\windows\xmwphyu.exe
O4 - HKCU\..\Run: [jnykoyy] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [loshobn] c:\windows\gthhglg.exe
O4 - HKCU\..\Run: [rosirle] c:\windows\ernkfvn.exe
O4 - HKCU\..\Run: [takqceh] c:\windows\hsikliw.exe
O4 - HKCU\..\Run: [uwcuwvd] c:\windows\hsikliw.exe
O4 - HKCU\..\Run: [mssgaae] c:\windows\hsikliw.exe
O4 - HKCU\..\Run: [asxoglk] c:\windows\hsikliw.exe
O4 - HKCU\..\Run: [vldmbsy] c:\windows\hsikliw.exe
O4 - HKCU\..\Run: [oxbekyh] c:\windows\hsikliw.exe
O4 - HKCU\..\Run: [xixxnra] c:\windows\hsikliw.exe
O4 - HKCU\..\Run: [wxxbxjx] c:\windows\hsikliw.exe
O4 - HKCU\..\Run: [gcuhwai] c:\windows\fhnmtpn.exe
O4 - HKCU\..\Run: [ldbrwld] c:\windows\fhnmtpn.exe
O4 - HKCU\..\Run: [pvfkurh] c:\windows\hubachw.exe
O4 - HKCU\..\Run: [fnwwkxi] c:\windows\qfgpcib.exe
O4 - HKCU\..\Run: [wroqphu] c:\windows\ymqhcul.exe
O4 - HKCU\..\Run: [ibveabu] c:\windows\pcmrbsi.exe
O4 - HKCU\..\Run: [uyicasb] c:\windows\hubachw.exe
O4 - HKCU\..\Run: [iagjytj] c:\windows\qfgpcib.exe
O4 - HKCU\..\Run: [oahsmtf] c:\windows\ymqhcul.exe
O4 - HKCU\..\Run: [cykknrw] c:\windows\pcmrbsi.exe
O4 - HKCU\..\Run: [aysvkga] c:\windows\hubachw.exe
O4 - HKCU\..\Run: [ynveudd] c:\windows\qfgpcib.exe
O4 - HKCU\..\Run: [mgtnpro] c:\windows\ymqhcul.exe
O4 - HKCU\..\Run: [nsqfftk] c:\windows\pcmrbsi.exe
O4 - HKCU\..\Run: [eglwfig] c:\windows\hubachw.exe
O4 - HKCU\..\Run: [vjnwsrx] c:\windows\qfgpcib.exe
O4 - HKCU\..\Run: [auajyao] c:\windows\ymqhcul.exe
O4 - HKCU\..\Run: [iqxklrw] c:\windows\pcmrbsi.exe
O4 - HKCU\..\Run: [bdlgnhe] c:\windows\hubachw.exe
O4 - HKCU\..\Run: [estxife] c:\windows\qfgpcib.exe
O4 - HKCU\..\Run: [pkdplge] c:\windows\ymqhcul.exe
O4 - HKCU\..\Run: [lvuwqid] c:\windows\pcmrbsi.exe
O4 - HKCU\..\Run: [knkotev] c:\windows\hubachw.exe
O4 - HKCU\..\Run: [bcjlmiv] c:\windows\qfgpcib.exe
O4 - HKCU\..\Run: [guwaqti] c:\windows\ymqhcul.exe
O4 - HKCU\..\Run: [pgwdxpi] c:\windows\pcmrbsi.exe
O4 - HKCU\..\Run: [nygbmlg] c:\windows\hubachw.exe
O4 - HKCU\..\Run: [amlbkhv] c:\windows\qfgpcib.exe
O4 - HKCU\..\Run: [tsvbljb] c:\windows\ymqhcul.exe
O4 - HKCU\..\Run: [gfqbnnm] c:\windows\pcmrbsi.exe
O4 - HKCU\..\Run: [mwigorm] c:\windows\hubachw.exe
O4 - HKCU\..\Run: [itubbbh] c:\windows\qfgpcib.exe
O4 - HKCU\..\Run: [wvcqijj] c:\windows\ymqhcul.exe
O4 - HKCU\..\Run: [byovvao] c:\windows\pcmrbsi.exe
O4 - HKCU\..\Run: [gtimubj] c:\windows\hubachw.exe
O4 - HKCU\..\Run: [haxngbp] c:\windows\qfgpcib.exe
O4 - HKCU\..\Run: [tkpabby] c:\windows\ymqhcul.exe
O4 - HKCU\..\Run: [teaxpbs] c:\windows\pcmrbsi.exe
O4 - HKCU\..\Run: [rvvatvd] c:\windows\hubachw.exe
O4 - HKCU\..\Run: [kincaqg] c:\windows\qfgpcib.exe
O4 - HKCU\..\Run: [bornwtr] c:\windows\ymqhcul.exe
O4 - HKCU\..\Run: [icampyo] c:\windows\pcmrbsi.exe
O4 - HKCU\..\Run: [hukltbo] c:\windows\jjeqqrd.exe
O4 - HKCU\..\Run: [ilejmtj] c:\windows\tptarsx.exe
O4 - HKCU\..\Run: [xbjhwac] c:\windows\tptarsx.exe
O4 - HKCU\..\Run: [pmueeil] c:\windows\tptarsx.exe
O4 - HKCU\..\Run: [qiggpfw] c:\windows\yxynmea.exe
O4 - HKCU\..\Run: [svyhxhr] c:\windows\yxynmea.exe
O4 - HKCU\..\Run: [wvobgkh] c:\windows\unefndt.exe
O4 - HKCU\..\Run: [xraothv] c:\windows\xycffls.exe
O4 - HKCU\..\Run: [vdnyfkw] c:\windows\xycffls.exe
O4 - HKCU\..\Run: [vtckmaf] c:\windows\xycffls.exe
O4 - HKCU\..\Run: [fmnfyay] c:\windows\wbrqucf.exe
O4 - HKCU\..\Run: [pnbnijs] c:\windows\yialagd.exe
O4 - HKCU\..\Run: [cyolqwt] c:\windows\yialagd.exe
O4 - HKCU\..\Run: [rcdlaps] c:\windows\yialagd.exe
O4 - HKCU\..\Run: [uriuofa] c:\windows\yialagd.exe
O4 - HKCU\..\Run: [fdsfdnf] c:\windows\hmghfli.exe
O4 - HKCU\..\Run: [vvghxga] c:\windows\ohgfdun.exe
O4 - HKCU\..\Run: [oawbdpm] c:\windows\woqxdhy.exe
O4 - HKCU\..\Run: [dsyyefn] c:\windows\sgjvfqs.exe
O4 - HKCU\..\Run: [yquecab] c:\windows\aiujoqx.exe
O4 - HKCU\..\Run: [hbdhxam] c:\windows\dneuckt.exe
O4 - HKCU\..\Run: [rxqpnvp] c:\windows\dneuckt.exe
O4 - HKCU\..\Run: [nsuaqse] c:\windows\dneuckt.exe
O4 - HKCU\..\Run: [utrryxd] c:\windows\dneuckt.exe
O4 - HKCU\..\Run: [repkyig] c:\windows\egwsltp.exe
O4 - HKCU\..\Run: [dncmlhr] c:\windows\egwsltp.exe

O9 - Extra button: Microsoft AntiSpyware helper - {A90DEC04-8C3B-46CB-BCDE-DE6E35AD9654} - (no file) (HKCU)
O9 - Extra 'Tools' menuitem: Microsoft AntiSpyware helper - {A90DEC04-8C3B-46CB-BCDE-DE6E35AD9654} - (no file) (HKCU)
O16 - DPF: {4602AE28-0E46-320B-EFD9-00364F496251} - http://69.50.182.94/1/rdgCA1882.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://207.188.7.150...tzip/RdxIE6.cab

O21 - SSODL: Client Access - {61704116-D71B-45F9-86FC-35764D9D79A6} - C:\WINDOWS\system32\winttxex.dll

Reboot and show me the logs when you are done.

Regards,
  • 0

#9
ewallen
Posted 12 May 2005 - 09:58 PM

ewallen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi,
Thanks so much for the reply, I did my best to follow your instructions.
In my desperation, I had already fixed all but 2 of the items you listed.
nxfmmlr.exe was in my recyle bin; I restored so I could follow your instructions re: spywad.
The 21-SSODL item seems to have reappeared.
I've doing all of this in safe mode under Administrator. When I booted up in non-safe mode, the computer seemed to be less sluggish, but I still cannot connect to the internet (cannot acquire an ip address in non-safe mode), and neither spybot nor adaware will run in non-safe mode.
On the positive side, I no longer get the "WinMin" message when shutting down.
Here are the two logs you requested.
Thanks again.


Spywad:

12/05/2005 9:31:06 PM
C:\WINDOWS\nxfmmlr.exe
C:\WINDOWS\unefndt.exe

Logfile of HijackThis v1.99.1
Scan saved at 9:46:09 PM, on 12/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Erik Webster Allen\Desktop\erik's computer help\hijackthis\HijackThis.exe

O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\TELUS Security service\pkR.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\TELUS Security service\FreeBHOR.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [TELUS Security service] C:\Program Files\Zero Knowledge\TELUS Security service\Freedom.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Connection Client] C:\WINDOWS\system32\atmeorxx.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: M-Audio MobilePre Control Panel Launcher.lnk = C:\Program Files\M-Audio MobilePre\MPTask.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: TELUS eCare.lnk = C:\Program Files\TELUS eCare\bin\matcli.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093371035858
O16 - DPF: {76947A08-DFBC-48F3-977F-5612E575B6B1} - https://cesium.ab.ta...gi-bin/oca2.cgi
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O21 - SSODL: Client Access - {681D0527-B769-4C77-A44B-3F791DEC5B73} - C:\WINDOWS\system32\winttxex.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: MobilePre Installer (MobilePreInstallerService) - Nemesis - C:\Program Files\M-Audio MobilePre\Install\MPInst.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
  • 0

#10
Metallica
Posted 13 May 2005 - 12:20 AM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Can you see if this file exists?
C:\WINDOWS\system32\atmeorxx.exe

If so rename it to atmeorxx.bak

also make a copy of C:\WINDOWS\system32\winttxex.dll and save that as winttxex.bak

I would like to receive copies of those two when we are done.

Please download the Killboxand run Killbox by doubleclicking Killbox.exe
Select "Replace on Reboot" and check the "Use Dummy" box.
Choose this file as the one to be replaced
C:\WINDOWS\system32\winttxex.dll
Return to Killbox, go to the File menu, and choose "Paste from Clipboard".
Click the red-and-white "Delete File" button. Click "Yes" at the Delete on Reboot prompt. Click "No" at the Pending Operations prompt.

If you receive a message such as: "Component 'MsComCtl.ocx' or one of its dependencies not correctly registered: a file is missing or invalid." when trying to run TheKillbox, click here to download and run missingfilesetup.exe. Then try TheKillbox again..

Let the system reboot and use HijackThis to fix:

O4 - HKLM\..\Run: [Connection Client] C:\WINDOWS\system32\atmeorxx.exe

O21 - SSODL: Client Access - {61704116-D71B-45F9-86FC-35764D9D79A6} - C:\WINDOWS\system32\winttxex.dll

Let me know,
  • 0

Advertisements

#11
ewallen
Posted 13 May 2005 - 12:39 PM

ewallen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi,
I have followed your instructions up to Killbox; however after I press the red and white 'delete file', click 'yes' to 'delete on reboot', and then when I click 'no' on the pending operations prompt ('changes will be made after reboot, reboot now?'), nothing seems to happen and the Killbox returns to (mostly) default settings. Your instructions then say 'allow the computer to reboot', so should I actually say 'yes' to the second prompt?
I will wait for your response before completing the instructions and sending you the log and .bak files.
Thanks.
  • 0

#12
Metallica
Posted 13 May 2005 - 01:36 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
If your computer does not reboot immediately after the Killbox prompts, please reboot it manually.

It should be done as soon as possible after using Killbox.

Regards,
  • 0

#13
ewallen
Posted 13 May 2005 - 03:09 PM

ewallen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi,
I rebooted manually after running killbox, and fixed the two files as you instructed.
I tried to attach the 2 .bak files as you requested, but I got a message that I was not allowed to upload files with that extension.
There has been some more improvement: I am now able to open up spybot and adaware in non-safe mode.
However, I still cannot connect to the internet in non-safe mode; (ie tells me it cannot find server)
Here is my current hijack this log:
Thanks again.

Logfile of HijackThis v1.99.1
Scan saved at 2:53:23 PM, on 13/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Erik Webster Allen\Desktop\erik's computer help\hijackthis\HijackThis.exe

O2 - BHO: PopKill Class - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\TELUS Security service\pkR.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: ZKBho Class - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\TELUS Security service\FreeBHOR.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [TELUS Security service] C:\Program Files\Zero Knowledge\TELUS Security service\Freedom.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: M-Audio MobilePre Control Panel Launcher.lnk = C:\Program Files\M-Audio MobilePre\MPTask.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: TELUS eCare.lnk = C:\Program Files\TELUS eCare\bin\matcli.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093371035858
O16 - DPF: {76947A08-DFBC-48F3-977F-5612E575B6B1} - https://cesium.ab.ta...gi-bin/oca2.cgi
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: MobilePre Installer (MobilePreInstallerService) - Nemesis - C:\Program Files\M-Audio MobilePre\Install\MPInst.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
  • 0

#14
Metallica
Posted 13 May 2005 - 03:28 PM

Metallica

    Spyware Veteran

  • GeekU Moderator
  • 33,101 posts
Would you be willing to email me the .bak files?

The address is pieterATwilderssecurity.org (replace AT with @)

Then in IE > Tools > Options > Programs > Reset WebSettings

Let me know if that helps.
I'll have a look at the files and see if they tell me something that could help.

Regards,
  • 0

#15
ewallen
Posted 13 May 2005 - 11:09 PM

ewallen

    Member

  • Topic Starter
  • Member
  • PipPip
  • 11 posts
Hi,
Thanks again for all your help.
I'll email you the files. I've discovered that I can connect to the internet when my security program (virus and firewall) are shutdown. Windows won't let me look at the Windows firewall settings.
Also, I noticed that winttxex.dll and atmeorxx.exe have shown up again in the hijackthis scan (logfile below).

Logfile of HijackThis v1.99.1
Scan saved at 11:01:39 PM, on 13/05/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Documents and Settings\Erik Webster Allen\Desktop\erik's computer help\hijackthis\HijackThis.exe

O2 - BHO: Pop-Up Blocker BHO - {3C060EA2-E6A9-4E49-A530-D4657B8C449A} - C:\Program Files\Zero Knowledge\TELUS Security service\pkR.dll
O2 - BHO: Form Filler BHO - {56071E0D-C61B-11D3-B41C-00E02927A304} - C:\Program Files\Zero Knowledge\TELUS Security service\FreeBHOR.dll
O2 - BHO: Google Toolbar Helper - {AA58ED58-01DD-4d91-8333-CF10577473F7} - c:\program files\google\googletoolbar2.dll
O2 - BHO: AcroIEToolbarHelper Class - {AE7CD045-E861-484f-8273-0445EE161910} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: Adobe PDF - {47833539-D0C5-4125-9FA8-0819E2EAAC93} - C:\Program Files\Adobe\Acrobat 6.0\Acrobat\AcroIEFavClient.dll
O3 - Toolbar: &Google - {2318C2B1-4965-11d4-9B18-009027A5CD4F} - c:\program files\google\googletoolbar2.dll
O4 - HKLM\..\Run: [ATIModeChange] Ati2mdxx.exe
O4 - HKLM\..\Run: [AtiPTA] atiptaxx.exe
O4 - HKLM\..\Run: [Apoint] C:\Program Files\Apoint2K\Apoint.exe
O4 - HKLM\..\Run: [CeEPOWER] C:\Program Files\TOSHIBA\Power Management\CePMTray.exe
O4 - HKLM\..\Run: [CeEKEY] C:\Program Files\TOSHIBA\E-KEY\CeEKey.exe
O4 - HKLM\..\Run: [TPNF] C:\Program Files\TOSHIBA\TouchPad\TPTray.exe
O4 - HKLM\..\Run: [LtMoh] C:\Program Files\ltmoh\Ltmoh.exe
O4 - HKLM\..\Run: [ezShieldProtector for Px] C:\WINDOWS\System32\ezSP_Px.exe
O4 - HKLM\..\Run: [Drag'n Drop CD] C:\Program Files\Drag'n Drop CD\BinFiles\DragDrop.exe /StartUp
O4 - HKLM\..\Run: [Microsoft Works Update Detection] C:\Program Files\Common Files\Microsoft Shared\Works Shared\WkUFind.exe
O4 - HKLM\..\Run: [ADUserMon] C:\Program Files\Iomega\AutoDisk\ADUserMon.exe
O4 - HKLM\..\Run: [Motive SmartBridge] C:\PROGRA~1\TELUSE~1\SMARTB~1\MotiveSB.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\jre1.5.0_01\bin\jusched.exe
O4 - HKLM\..\Run: [Connection Client] C:\WINDOWS\system32\atmeorxx.exe
O4 - HKLM\..\Run: [TELUS Security service] C:\Program Files\Zero Knowledge\TELUS Security service\Freedom.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Global Startup: Acrobat Assistant.lnk = C:\Program Files\Adobe\Acrobat 6.0\Distillr\acrotray.exe
O4 - Global Startup: M-Audio MobilePre Control Panel Launcher.lnk = C:\Program Files\M-Audio MobilePre\MPTask.exe
O4 - Global Startup: Microsoft Office.lnk = C:\Program Files\Microsoft Office\Office\OSA9.EXE
O4 - Global Startup: Microsoft Works Calendar Reminders.lnk = ?
O4 - Global Startup: TELUS eCare.lnk = C:\Program Files\TELUS eCare\bin\matcli.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {6414512B-B978-451D-A0D8-FCFDF33E833C} (WUWebControl Class) - http://v5.windowsupd...b?1093371035858
O16 - DPF: {76947A08-DFBC-48F3-977F-5612E575B6B1} - https://cesium.ab.ta...gi-bin/oca2.cgi
O16 - DPF: {9A9307A0-7DA4-4DAF-B042-5009F29E09E1} (ActiveScan Installer Class) - http://www.pandasoft.../as5/asinst.cab
O21 - SSODL: Client Access - {4ECD839A-B522-47EF-934B-29346F485DFD} - C:\WINDOWS\system32\winttxex.dll
O23 - Service: Ati HotKey Poller - Unknown owner - C:\WINDOWS\System32\Ati2evxx.exe
O23 - Service: DvpApi (dvpapi) - Command Software Systems, Inc. - C:\Program Files\Common Files\Command Software\dvpapi.exe
O23 - Service: Iomega App Services - Iomega Corporation - C:\PROGRA~1\Iomega\System32\AppServices.exe
O23 - Service: MobilePre Installer (MobilePreInstallerService) - Nemesis - C:\Program Files\M-Audio MobilePre\Install\MPInst.exe
O23 - Service: Iomega Active Disk (_IOMEGA_ACTIVE_DISK_SERVICE_) - Iomega Corporation - C:\Program Files\Iomega\AutoDisk\ADService.exe
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP