Jump to content

Welcome to Geeks to Go - Register now for FREE

Need help with your computer or device? Want to learn new tech skills? You're in the right place!
Geeks to Go is a friendly community of tech experts who can solve any problem you have. Just create a free account and post your question. Our volunteers will reply quickly and guide you through the steps. Don't let tech troubles stop you. Join Geeks to Go now and get the support you need!

How it Works Create Account
Photo

desktop virus spyware[RESOLVED]

Started by mnadeem , May 14 2005 05:35 AM

  • This topic is locked This topic is locked

#1
mnadeem
Posted 14 May 2005 - 05:35 AM

mnadeem

    Member

  • Member
  • PipPip
  • 98 posts
hi
i have desk top virus tryed every to remove but no luck
here is highjek log
Logfile of HijackThis v1.99.1
Scan saved at 1:34:07 PM, on 5/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\mqsvc.exe
c:\windows\system32\hvtqqj.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\Program Files\SAMSUNG\FW LiveUpdate\Liveupdate.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Copernic Agent\CopernicAgent.exe
C:\Program Files\Avant Browser\avant.exe
C:\Documents and Settings\fnadeem\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_BAND_SEARCHBAR_HTML
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Windows\System32\wsaupdater.exe,
O2 - BHO: 12Ghosts Popup-Killer - {00000000-0007-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Shareaza Web Download Hook - {0EEDB912-C5FA-486F-8334-57288578C627} - C:\Program Files\Shareaza\Plugins\RazaWebHook.dll
O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINDOWS\system32\rsyncmon.dll
O2 - BHO: (no name) - {1D2C0698-8FF5-4060-B84C-F1117A9EA9B1} - C:\WINDOWS\System32\arctiveds.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdcatch.dll
O2 - BHO: (no name) - {253816F8-E9D4-4D78-94D8-806870C9B9B7} - C:\WINDOWS\system32\dccwfrp32.dll
O2 - BHO: (no name) - {2CF24D8F-D617-A9CA-4B46-DD38043D959D} - C:\WINDOWS\system32\favm.dll
O2 - BHO: (no name) - {2F82A540-98EA-45E3-BB01-1924B95F4205} - C:\WINDOWS\system32\fxsmofn.dll
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O2 - BHO: TBMouseGuestures Class - {3614926A-225F-4E00-8A1E-1D3095547FC8} - C:\Program Files\ToolButton\MouseGestures.dll
O2 - BHO: (no name) - {38D8FC82-A990-4AFC-BA78-DBC275032557} - C:\WINDOWS\System32\comcjat.dll
O2 - BHO: (no name) - {3A7DE571-E43B-49E6-9D6E-511925F512F3} - C:\WINDOWS\System32\ves.dll
O2 - BHO: IE 4.x-6.x BHO - {49E0E0F0-5C30-11D4-945D-000000000000} - C:\PROGRA~1\BEGONE~1\IEHelper.dll
O2 - BHO: (no name) - {4F19A2CF-C5C6-46D0-896E-37430B11B348} - C:\WINDOWS\system32\atsmlib.dll
O2 - BHO: (no name) - {5178E090-3692-47A3-B6BF-723ECEBDA03F} - C:\WINDOWS\System32\fehclient.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: (no name) - {542C6E41-96F2-45BA-9B79-E5A322BD64D3} - C:\WINDOWS\System32\hcwtunoer.dll
O2 - BHO: (no name) - {5BB5EDE2-427F-4DC9-9E3E-ED93F8DEFA45} - C:\WINDOWS\System32\avviiewer.dll
O2 - BHO: (no name) - {5DB3DF0C-4F04-422D-8089-EAC9E085E20F} - C:\WINDOWS\system32\cocmpstui.dll
O2 - BHO: (no name) - {6291957C-8CE9-4c90-BEFF-12D9E68CFF30} - C:\Program Files\MoreGoogle\MoreGoogle.dll
O2 - BHO: (no name) - {654B6C90-DB39-400A-9720-C79EF2AAF1CE} - C:\WINDOWS\system32\duivx4.dll
O2 - BHO: (no name) - {6967170D-29CA-4CB5-B150-CCABE2F90DD9} - C:\WINDOWS\System32\hdmbho.dll
O2 - BHO: (no name) - {6EB32E91-494E-48D5-80F5-A573645C2556} - C:\WINDOWS\system32\cwlb.dll
O2 - BHO: (no name) - {7110E554-9A8D-4A76-8929-00B9260E83B1} - C:\WINDOWS\system32\javmen32.dll
O2 - BHO: (no name) - {79859B16-3FDA-4E22-8CAE-80EB2ADF5813} - C:\WINDOWS\system32\dllcda3d2.dll
O2 - BHO: (no name) - {79B249DB-A58E-4077-8985-CD029FBE419D} - C:\WINDOWS\System32\bbrowser.dll
O2 - BHO: (no name) - {7B08E694-E22E-4503-9924-9D702F898E97} - C:\WINDOWS\System32\sfxsevent.dll
O2 - BHO: (no name) - {887C075B-13A7-4715-90E5-FED0416599B4} - C:\WINDOWS\System32\bdeinsta2y5.dll
O2 - BHO: (no name) - {8DA3553D-0218-4F67-AC9D-AB0E94604908} - C:\WINDOWS\system32\d3td8.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: (no name) - {983B5C4A-345F-4358-AAE3-66FBE50963A3} - C:\WINDOWS\system32\dllaio32.dll
O2 - BHO: (no name) - {ABD4A9D4-67F8-427F-B2BF-177F07373FA6} - C:\WINDOWS\System32\ds3b2gt.dll
O2 - BHO: (no name) - {B9BB810E-3736-4F12-A78E-227C6D963E19} - C:\WINDOWS\System32\dpucdll.dll
O2 - BHO: AssistII - {BB936323-19FA-4521-BA29-ECA6A121BC78} - C:\PROGRA~1\3721\assist\asbar.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\de\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C2D2A467-28A2-4D02-BD55-9198A07763B5} - C:\WINDOWS\system32\atii3d1ag.dll
O2 - BHO: (no name) - {C851667F-3E79-4585-82DD-0E7C1FB34B1D} - C:\WINDOWS\System32\mblackbox.dll
O2 - BHO: CnsHook Class - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\downlo~1\CnsHook.dll
O2 - BHO: (no name) - {D2C7B438-B439-4CF5-B48E-CBAA13B9D274} - C:\WINDOWS\system32\cddvbcontrol.dll
O2 - BHO: (no name) - {ECE7F64B-ABAC-4152-A853-AEB0025D5DA5} - C:\WINDOWS\System32\evcentcls.dll
O2 - BHO: (no name) - {ED78CA6C-4D2D-4E33-9B3A-86FCD476C3AF} - C:\WINDOWS\System32\3ivxvfgwcodec.dll
O2 - BHO: (no name) - {F132F4EB-AC4A-4C69-A6DC-44F9141EDD28} - C:\WINDOWS\system32\dpucdull.dll
O2 - BHO: (no name) - {F7BD10BE-FB6D-4F78-9FD2-BC87E800F6CB} - C:\WINDOWS\System32\elbycdhio.dll
O2 - BHO: (no name) - {FCE5FB3F-B603-4D2A-8BA5-7DCA2702910F} - C:\WINDOWS\system32\dpwfsockx.dll
O2 - BHO: (no name) - {FE258638-EA4C-409A-9C12-5582C9989C89} - C:\WINDOWS\System32\fxmstiff.dll
O2 - BHO: (no name) - {FFB8F363-39A6-4FFE-99F9-D0D51EA3A986} - C:\WINDOWS\system32\dplajy.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\ycomp5_5_7_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\de\msntb.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: EI????E? - {BB936323-19FA-4521-BA29-ECA6A121BC78} - C:\PROGRA~1\3721\assist\asbar.dll
O3 - Toolbar: 12-Popup - {00000000-0008-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ISTbar - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - C:\Program Files\ISTbar\istbarcm.dll
O4 - HKLM\..\Run: [Name of App] C:\Program Files\SAMSUNG\FW LiveUpdate\Liveupdate.exe
O4 - HKLM\..\Run: [idosgig] c:\windows\system32\hvtqqj.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Allow popups from this web page - C:\Program Files\GIANT Company Software inc\PopUp Inspector\allowsite.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Ebates - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O8 - Extra context menu item: Stop popups from this web page - C:\Program Files\GIANT Company Software inc\PopUp Inspector\denysite.htm
O9 - Extra button: Short Message - {00000000-0000-0001-0001-596BAEDD1289} - http://sms.3721.com/ie/index.htm (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: (no name) - {0BCBCDD8-E5D9-417D-A752-C2DA929A21BF} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O9 - Extra 'Tools' menuitem: Track Page Using Copernic Agent - {0BCBCDD8-E5D9-417D-A752-C2DA929A21BF} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Yahoo 1G mail - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.mail.yahoo.com/promo/rd1 (file missing)
O9 - Extra button: E bazar - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://hot.3721.com/rd/shop_btn.htm (file missing)
O9 - Extra button: 3721 Assistant - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://assistant.372...ndex.htm?fb=Cns (file missing)
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RF Toolbar &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: IE Password - {C40E0AA1-4EC1-455C-BA2B-79C336F89462} - C:\WINDOWS\system32\IEPassword.dll
O9 - Extra button: Instant Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.rd.yahoo.c...nger.yahoo.com/ (file missing)
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.372...ity1.htm?fb=Cns (file missing)
O9 - Extra 'Tools' menuitem: Repair Browser - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.372...ity1.htm?fb=Cns (file missing)
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.372...ean1.htm?fb=Cns (file missing)
O9 - Extra 'Tools' menuitem: Clean Internet access record - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.372...ean1.htm?fb=Cns (file missing)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: PopUp Inspector - {D216B74A-9A2F-4025-9690-86780AA75F6E} - C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe (HKCU)
O9 - Extra 'Tools' menuitem: PopUp Inspector - {D216B74A-9A2F-4025-9690-86780AA75F6E} - C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe (HKCU)
O11 - Options group: [!CNS] Chinese keywords
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {00000000-CDDC-0704-0B53-2C8830E9FAEC} - http://install.globa...de/ieloader.cab
O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} (Installer Class) - http://www.xxxtoolba...s/v3.0/0006.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.c...ex/tdserver.cab
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} - http://download.onli...m/MaConnect.cab
O16 - DPF: {086A694F-91FB-4068-B44C-124FB69BF05D} - http://www.searchwww.com/search.cab
O16 - DPF: {11111111-1111-1111-1111-111111111147} - file://C:\Program Files\Internet Explorer\1189.exe
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolba...0006_cracks.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...bridge-c338.cab
O16 - DPF: {1678F7E1-C422-11D0-AD7D-00400515CAAA} - http://files.cometsy...011079175059309
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....sa/LSSupCtl.cab
O16 - DPF: {1FDEC088-A699-46FE-BF76-D5FD6DAE6150} - http://www.armbender.com/UCSearch.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abet...N14183/thin.cab
O16 - DPF: {3717DF57-0396-463D-98B7-647C7DC6898A} - http://delivery.inet....com/inetdl.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...RdxIE601_de.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {70A51FE4-7ACE-CCA3-8EAB-CDCE25CD862D} - http://public.search...12/kjebjqgl.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.ibm.com/...ad/IbmEgath.cab
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} - http://www.xxxtoolba...006_regular.cab
O16 - DPF: {81F0C919-AB0B-4F5C-932D-5CEEF05879E9} (IITLoadCtrl Class) - https://locator.01co...p/iitloader.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelg...in/cortvrml.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtec...tall/isetup.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda....l/de/games3.cab
O16 - DPF: {94118C19-B178-4E43-BBE8-0EFDBB391BDB} - http://www.sponsorad...sWebTelecom.cab
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - http://www2.flingsto...00XP/bridge.cab
O16 - DPF: {9D614E8E-03AA-11D3-90FC-0040C7157029} (PDMSInstallerCtl Class) - http://www.pakdata.c...MSInstaller.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-downlo....cab?refid=4746
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {C7B05B62-C8D7-438C-840B-4994DAAA8EEE} - http://webpdp.gator....ndle37v0d15.cab
O16 - DPF: {CAAE28D1-ADCC-11D1-BD4D-004845401881} (Urdu98 Control) - http://www.pakdata.c.../urduplugin.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....sa/SymAData.cab
O16 - DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} (G.a3) - http://www.fastfind....03C02/setup.exe
O16 - DPF: {DBAE7000-01EC-4162-8FEB-8A27AC937CA0} - http://webpdp.gator....ndle43v2d26.cab
O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://www.pcpowersc...pcpowerscan.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundlewar...veX/DS3/DS3.cab
O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) - http://runonce.msn.c...tacceptlang.cab
O16 - DPF: {E8EDB60C-951E-4130-93DC-FAF1AD25F8E7} - http://cdn.climaxbuc...DistIOcrack.CAB
O16 - DPF: {EB6AFDAB-E16D-430B-A5EE-0408A12289DC} - http://download.medi...suitnetwork.cab
O16 - DPF: {EF58E341-49C3-4156-A3C4-5FFCA7C1EAB7} (EURAS_Portal.Gateway) - http://www.euras.com...ivex2/euras.CAB
O16 - DPF: {EF86873F-04C2-4A95-A373-5703C08EFC7B} - http://www.xxxtoolba...0006_cracks.cab
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://216.65.38.226/crack.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{EF29FF8C-B1EA-4A05-B79B-91C0465D8EE9}: NameServer = 209.47.15.118,64.157.143.38,192.168.121.252,192.168.121.253
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe
  • 0

Advertisements

#2
miekiemoes
Posted 14 May 2005 - 09:09 AM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hello, I already replied to your log here:
http://www.geekstogo...00

Could you stay next time in the same thread? Just click the 'Add Reply-button'
You haven't performed the things I asked you to -- at least, you didn't scan with an updated adaware SE and didn't perform the onlinescans with the scanners I told you to.

Please follow my steps, It is really important you perform those scans!! Then we can take care of the rest!

Also -- have you been fixing items yourself in your log? I see a whole bunch of O4's missing comparing with your previous log, also legit ones!
But we'll find out later.

No please perform my steps as i asked you in your other thread and post a new log afterwards.

Thank you.
  • 0

#3
mnadeem
Posted 14 May 2005 - 09:31 AM

mnadeem

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts
hi
new log
treied every things .. then can go in to internet have to erlier stage system time .
here is new log
Logfile of HijackThis v1.99.1
Scan saved at 5:23:31 PM, on 5/14/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\WINDOWS\SYSTEM32\GEARSEC.EXE
C:\Program Files\Huey\HueyServ.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\RemotelyAnywhere\RaMaint.exe
C:\Program Files\RemotelyAnywhere\RemotelyAnywhere.exe
C:\WINDOWS\System32\r_server.exe
C:\Program Files\RemotelyAnywhere\RAGui.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\SrvAdmSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WT32EXE.EXE
c:\windows\system32\mfqfqhx.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\Program Files\TightVNC-unstable\WinVNC.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Common Files\BullGuard\BullGuard Communicator\xcommsvr.exe
C:\WINDOWS\System32\mqsvc.exe
C:\Program Files\Common Files\BullGuard\BullGuard Scan Server\bdss.exe
C:\Program Files\SAMSUNG\FW LiveUpdate\Liveupdate.exe
C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\Program Files\3B Software\Windows Registry Repair Pro\Windows Registry Repair Pro.exe
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\WINDOWS\system32\tblmouse.exe
C:\Program Files\BullGuard\vsserv.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\shicoxp.exe
C:\Program Files\SMSC\Seticon.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\RAM Idle\RAM_XP.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe
C:\program files\umsd tools\umsd.exe
C:\PROGRA~1\MyWay\bar\2.bin\mwsoemon.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\de\msnappau.exe
C:\windows\system32\msdmxm.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\Blue Haven Media\KaZooM\KaZooM.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\Program Files\Kazaa Lite\kazaa.kpp
C:\PROGRA~1\ICQ\ICQ.exe
C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
C:\Program Files\Huey\HueyController.exe
C:\WINDOWS\system32\rundll32.exe
C:\WINDOWS\system32\UMonit2K.exe
C:\Program Files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe
C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe
C:\Program Files\eDonkey2000\edonkey2000.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe
C:\PROGRA~1\DATACA~1\FLashKsk.exe
C:\WINDOWS\SPMSMON.EXE
C:\WINDOWS\system32\rundll32.exe
C:\Program Files\AdTools Service\AdTools.exe
C:\Program Files\Admanager Controller\AdManCtl.exe
C:\WINDOWS\system32\abasa5jrp.exe
C:\WINDOWS\xnnjfx.exe
C:\Program Files\ISTsvc\istsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Avant Browser\avant.exe
C:\Documents and Settings\fnadeem\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_BAND_SEARCHBAR_HTML
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = http://search.shopna...cid=shnv9886&s=
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
R3 - URLSearchHook: (no name) - {8952A998-1E7E-4716-B23D-3DBE03910972} - (no file)
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Windows\System32\wsaupdater.exe,
O2 - BHO: 12Ghosts Popup-Killer - {00000000-0007-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Shareaza Web Download Hook - {0EEDB912-C5FA-486F-8334-57288578C627} - C:\Program Files\Shareaza\Plugins\RazaWebHook.dll
O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINDOWS\system32\rsyncmon.dll
O2 - BHO: (no name) - {1D2C0698-8FF5-4060-B84C-F1117A9EA9B1} - C:\WINDOWS\System32\arctiveds.dll
O2 - BHO: (no name) - {206E52E0-D52E-11D4-AD54-0000E86C26F6} - C:\PROGRA~1\FRESHD~1\FRESHD~1\fdcatch.dll
O2 - BHO: (no name) - {253816F8-E9D4-4D78-94D8-806870C9B9B7} - C:\WINDOWS\system32\dccwfrp32.dll
O2 - BHO: (no name) - {2CF24D8F-D617-A9CA-4B46-DD38043D959D} - C:\WINDOWS\system32\favm.dll
O2 - BHO: (no name) - {2F82A540-98EA-45E3-BB01-1924B95F4205} - C:\WINDOWS\system32\fxsmofn.dll
O2 - BHO: BolgerObj Class - {302A3240-4805-4a34-97D7-1645A0B08410} - C:\WINDOWS\Bolger.dll
O2 - BHO: TBMouseGuestures Class - {3614926A-225F-4E00-8A1E-1D3095547FC8} - C:\Program Files\ToolButton\MouseGestures.dll
O2 - BHO: (no name) - {38D8FC82-A990-4AFC-BA78-DBC275032557} - C:\WINDOWS\System32\comcjat.dll
O2 - BHO: (no name) - {3A7DE571-E43B-49E6-9D6E-511925F512F3} - C:\WINDOWS\System32\ves.dll
O2 - BHO: IE 4.x-6.x BHO - {49E0E0F0-5C30-11D4-945D-000000000000} - C:\PROGRA~1\BEGONE~1\IEHelper.dll
O2 - BHO: (no name) - {4F19A2CF-C5C6-46D0-896E-37430B11B348} - C:\WINDOWS\system32\atsmlib.dll
O2 - BHO: (no name) - {5178E090-3692-47A3-B6BF-723ECEBDA03F} - C:\WINDOWS\System32\fehclient.dll
O2 - BHO: (no name) - {542C6E41-96F2-45BA-9B79-E5A322BD64D3} - C:\WINDOWS\System32\hcwtunoer.dll
O2 - BHO: (no name) - {5BB5EDE2-427F-4DC9-9E3E-ED93F8DEFA45} - C:\WINDOWS\System32\avviiewer.dll
O2 - BHO: (no name) - {5DB3DF0C-4F04-422D-8089-EAC9E085E20F} - C:\WINDOWS\system32\cocmpstui.dll
O2 - BHO: (no name) - {6291957C-8CE9-4c90-BEFF-12D9E68CFF30} - C:\Program Files\MoreGoogle\MoreGoogle.dll
O2 - BHO: (no name) - {654B6C90-DB39-400A-9720-C79EF2AAF1CE} - C:\WINDOWS\system32\duivx4.dll
O2 - BHO: (no name) - {6967170D-29CA-4CB5-B150-CCABE2F90DD9} - C:\WINDOWS\System32\hdmbho.dll
O2 - BHO: (no name) - {6EB32E91-494E-48D5-80F5-A573645C2556} - C:\WINDOWS\system32\cwlb.dll
O2 - BHO: (no name) - {7110E554-9A8D-4A76-8929-00B9260E83B1} - C:\WINDOWS\system32\javmen32.dll
O2 - BHO: (no name) - {79859B16-3FDA-4E22-8CAE-80EB2ADF5813} - C:\WINDOWS\system32\dllcda3d2.dll
O2 - BHO: (no name) - {79B249DB-A58E-4077-8985-CD029FBE419D} - C:\WINDOWS\System32\bbrowser.dll
O2 - BHO: (no name) - {7B08E694-E22E-4503-9924-9D702F898E97} - C:\WINDOWS\System32\sfxsevent.dll
O2 - BHO: (no name) - {887C075B-13A7-4715-90E5-FED0416599B4} - C:\WINDOWS\System32\bdeinsta2y5.dll
O2 - BHO: (no name) - {8DA3553D-0218-4F67-AC9D-AB0E94604908} - C:\WINDOWS\system32\d3td8.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: (no name) - {983B5C4A-345F-4358-AAE3-66FBE50963A3} - C:\WINDOWS\system32\dllaio32.dll
O2 - BHO: (no name) - {A9B35397-4D27-DE78-52AD-F0FF5C4696A3} - C:\DOCUME~1\MNADEE~1.000\APPLIC~1\CHICMF~1\FIRST ROAD.exe (file missing)
O2 - BHO: (no name) - {ABD4A9D4-67F8-427F-B2BF-177F07373FA6} - C:\WINDOWS\System32\ds3b2gt.dll
O2 - BHO: (no name) - {B9BB810E-3736-4F12-A78E-227C6D963E19} - C:\WINDOWS\System32\dpucdll.dll
O2 - BHO: AssistII - {BB936323-19FA-4521-BA29-ECA6A121BC78} - C:\PROGRA~1\3721\assist\asbar.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\de\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O2 - BHO: (no name) - {C2D2A467-28A2-4D02-BD55-9198A07763B5} - C:\WINDOWS\system32\atii3d1ag.dll
O2 - BHO: (no name) - {C5941EE5-6DFA-11D8-86B0-0002441A9695} - (no file)
O2 - BHO: (no name) - {C851667F-3E79-4585-82DD-0E7C1FB34B1D} - C:\WINDOWS\System32\mblackbox.dll
O2 - BHO: CnsHook Class - {D157330A-9EF3-49F8-9A67-4141AC41ADD4} - C:\WINDOWS\downlo~1\CnsHook.dll
O2 - BHO: (no name) - {D2C7B438-B439-4CF5-B48E-CBAA13B9D274} - C:\WINDOWS\system32\cddvbcontrol.dll
O2 - BHO: (no name) - {ECE7F64B-ABAC-4152-A853-AEB0025D5DA5} - C:\WINDOWS\System32\evcentcls.dll
O2 - BHO: (no name) - {ED78CA6C-4D2D-4E33-9B3A-86FCD476C3AF} - C:\WINDOWS\System32\3ivxvfgwcodec.dll
O2 - BHO: (no name) - {F132F4EB-AC4A-4C69-A6DC-44F9141EDD28} - C:\WINDOWS\system32\dpucdull.dll
O2 - BHO: (no name) - {F7BD10BE-FB6D-4F78-9FD2-BC87E800F6CB} - C:\WINDOWS\System32\elbycdhio.dll
O2 - BHO: (no name) - {FCE5FB3F-B603-4D2A-8BA5-7DCA2702910F} - C:\WINDOWS\system32\dpwfsockx.dll
O2 - BHO: (no name) - {FE258638-EA4C-409A-9C12-5582C9989C89} - C:\WINDOWS\System32\fxmstiff.dll
O2 - BHO: (no name) - {FFB8F363-39A6-4FFE-99F9-D0D51EA3A986} - C:\WINDOWS\system32\dplajy.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\ycomp5_5_7_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\de\msntb.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: EI????E? - {BB936323-19FA-4521-BA29-ECA6A121BC78} - C:\PROGRA~1\3721\assist\asbar.dll
O3 - Toolbar: 12-Popup - {00000000-0008-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: ISTbar - {FAA356E4-D317-42a6-AB41-A3021C6E7D52} - C:\Program Files\ISTbar\istbarcm.dll
O4 - HKLM\..\Run: [Name of App] C:\Program Files\SAMSUNG\FW LiveUpdate\Liveupdate.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\system32\bridge.dll",Load
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [XeroxScannerDaemon] C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TVNCPro\bin\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [Windows Task Manager] c:\windows\system32\taskmg.exe
O4 - HKLM\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\Windows Registry Repair Pro.exe -X
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TBLFUNC] tblmouse.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [shicoxp] C:\WINDOWS\shicoxp.exe
O4 - HKLM\..\Run: [SetIcon] C:\Program Files\SMSC\Seticon.exe
O4 - HKLM\..\Run: [RSync] C:\WINDOWS\system32\netsync.exe
O4 - HKLM\..\Run: [RemotelyAnywhere GUI] "C:\Program Files\RemotelyAnywhere\ragui.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RDesktop] "C:\PROGRA~1\01COM~1\I'MINT~1\BIN\rdesktop.exe" -servicehelper
O4 - HKLM\..\Run: [RCController] "C:\Program Files\TVNCPro\bin\processor.exe" -userLogin
O4 - HKLM\..\Run: [RCConnector] "C:\Program Files\TVNCPro\bin\connector.exe" -userLogin
O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\RAM Idle\RAM_XP.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PopUpInspector.exe] "C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe"
O4 - HKLM\..\Run: [PLoader] c:\program files\umsd tools\umsd.exe sys_auto_run C:\Program Files\UMSD Tools
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [New.net Startup] rundll32 C:\PROGRA~1\NEWDOT~1\NEWDOT~1.DLL,NewDotNetStartup -s
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MyWay\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [mswspl] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\de\msnappau.exe"
O4 - HKLM\..\Run: [Msdmxm] c:\windows\system32\msdmxm.exe /nocomm
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [MediaLoads Installer] C:\Program Files\MSN\MSNCoreFiles\dw.exe /H
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [KaZooM] C:\Program Files\Blue Haven Media\KaZooM\KaZooM.exe
O4 - HKLM\..\Run: [KAZAA] "C:\Program Files\Kazaa Lite\kpp.exe" "C:\Program Files\Kazaa Lite\kazaa.kpp" /SYSTRAY
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [HueyToolbar] C:\Program Files\Huey\HueyController.exe
O4 - HKLM\..\Run: [helper.dll] C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\3721\helper.dll,Rundll32
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Expertcity\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\system32\UMonit2K.exe
O4 - HKLM\..\Run: [FineReader7NewsReaderPro] C:\Program Files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe
O4 - HKLM\..\Run: [FastTVSync] "C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe"
O4 - HKLM\..\Run: [EvtHtm] c:\windows\system32\evthtm.exe /nocomm
O4 - HKLM\..\Run: [ElbyCheckElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [eDonkey2000] "C:\Program Files\eDonkey2000\edonkey2000.exe" -t
O4 - HKLM\..\Run: [EbatesMoeMoneyMaker0] "C:\Program Files\Ebates_MoeMoneyMaker\EbatesMoeMoneyMaker0.exe"
O4 - HKLM\..\Run: [dupelogmoveblah] C:\Documents and Settings\All Users\Application Data\2 inter dupe log\clock axis.exe
O4 - HKLM\..\Run: [DM_Server] C:\PROGRA~1\COMETS~1\DM\bin\dmserver.exe /onreboot
O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
O4 - HKLM\..\Run: [ChangeICON] C:\WINDOWS\SPMSMON.EXE
O4 - HKLM\..\Run: [cesmain.dll] C:\WINDOWS\system32\rundll32.exe C:\PROGRA~1\3721\Ces\cmail.dll,Rundll32
O4 - HKLM\..\Run: [Breg] "C:\Program Files\Common Files\Java\bptre.exe"
O4 - HKLM\..\Run: [AdTools Service] C:\Program Files\AdTools Service\AdTools.exe
O4 - HKLM\..\Run: [Admanager Controller] C:\Program Files\Admanager Controller\AdManCtl.exe
O4 - HKLM\..\Run: [abasa5jrp] C:\WINDOWS\system32\abasa5jrp.exe
O4 - HKLM\..\Run: [0fdxe2f] C:\WINDOWS\xnnjfx.exe
O4 - HKLM\..\Run: [IST Service] C:\Program Files\ISTsvc\istsvc.exe
O4 - HKLM\..\Run: [hmxuzzx] c:\windows\system32\mfqfqhx.exe
O4 - HKLM\..\Run: [PopUpInspector] C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Allow popups from this web page - C:\Program Files\GIANT Company Software inc\PopUp Inspector\allowsite.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Ebates - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O8 - Extra context menu item: Stop popups from this web page - C:\Program Files\GIANT Company Software inc\PopUp Inspector\denysite.htm
O9 - Extra button: Short Message - {00000000-0000-0001-0001-596BAEDD1289} - http://sms.3721.com/ie/index.htm (file missing)
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: (no name) - {0BCBCDD8-E5D9-417D-A752-C2DA929A21BF} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O9 - Extra 'Tools' menuitem: Track Page Using Copernic Agent - {0BCBCDD8-E5D9-417D-A752-C2DA929A21BF} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Hotmail - {4154081F-5411-4ce6-98A1-19DA0D11645E} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: Yahoo 1G mail - {507F9113-CD77-4866-BA92-0E86DA3D0B97} - http://cn.mail.yahoo.com/promo/rd1 (file missing)
O9 - Extra button: E bazar - {59BC54A2-56B3-44a0-93E5-432D58746E26} - http://hot.3721.com/rd/shop_btn.htm (file missing)
O9 - Extra button: 3721CMail - {5D73EE86-05F1-49ed-B850-E423120EC329} - http://cmail.3721.com?fb=client (file missing)
O9 - Extra button: 3721 Assistant - {5D73EE86-05F1-49ed-B850-E423120EC338} - http://assistant.372...ndex.htm?fb=Cns (file missing)
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RF Toolbar &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: BINGOOO - {BEF0F2A3-86DD-4290-9DB5-99F1559665D2} - I:\Programme\BINGOOO\BINGOOO.exe (file missing)
O9 - Extra button: ???·´?E« - {C18CB140-0BBB-11D4-8FE8-0088CC102438} - http://www.k369.com (file missing)
O9 - Extra 'Tools' menuitem: ???·´?E« - {C18CB140-0BBB-11D4-8FE8-0088CC102438} - http://www.k369.com (file missing)
O9 - Extra button: IE Password - {C40E0AA1-4EC1-455C-BA2B-79C336F89462} - C:\WINDOWS\system32\IEPassword.dll
O9 - Extra button: Instant Messenger - {E5D12C4E-7B4F-11D3-B5C9-0050045C3C96} - http://cn.rd.yahoo.c...nger.yahoo.com/ (file missing)
O9 - Extra button: (no name) - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.372...ity1.htm?fb=Cns (file missing)
O9 - Extra 'Tools' menuitem: Repair Browser - {ECF2E268-F28C-48d2-9AB7-8F69C11CCB71} - http://assistant.372...ity1.htm?fb=Cns (file missing)
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: (no name) - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.372...ean1.htm?fb=Cns (file missing)
O9 - Extra 'Tools' menuitem: Clean Internet access record - {FD00D911-7529-4084-9946-A29F1BDF4FE5} - http://assistant.372...ean1.htm?fb=Cns (file missing)
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: PopUp Inspector - {D216B74A-9A2F-4025-9690-86780AA75F6E} - C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe (HKCU)
O9 - Extra 'Tools' menuitem: PopUp Inspector - {D216B74A-9A2F-4025-9690-86780AA75F6E} - C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe (HKCU)
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Unknown file in Winsock LSP: c:\windows\system32\inetadpt.dll
O10 - Hijacked Internet access by New.Net
O10 - Hijacked Internet access by New.Net
O11 - Options group: [!CNS] Chinese keywords
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O15 - Trusted Zone: http://ny.contentmatch.net (HKLM)
O16 - DPF: {00000000-CDDC-0704-0B53-2C8830E9FAEC} - http://install.globa...de/ieloader.cab
O16 - DPF: {018B7EC3-EECA-11D3-8E71-0000E82C6C0D} (Installer Class) - http://www.xxxtoolba...s/v3.0/0006.cab
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.c...ex/tdserver.cab
O16 - DPF: {02C20140-76F8-4763-83D5-B660107B7A90} - http://download.onli...m/MaConnect.cab
O16 - DPF: {086A694F-91FB-4068-B44C-124FB69BF05D} - http://www.searchwww.com/search.cab
O16 - DPF: {11111111-1111-1111-1111-111111111147} - file://C:\Program Files\Internet Explorer\1189.exe
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolba...0006_cracks.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...bridge-c338.cab
O16 - DPF: {1678F7E1-C422-11D0-AD7D-00400515CAAA} - http://files.cometsy...011079175059309
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....sa/LSSupCtl.cab
O16 - DPF: {1FDEC088-A699-46FE-BF76-D5FD6DAE6150} - http://www.armbender.com/UCSearch.CAB
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {30000273-8230-4DD4-BE4F-6889D1E74167} - http://download.abet...N14183/thin.cab
O16 - DPF: {3717DF57-0396-463D-98B7-647C7DC6898A} - http://delivery.inet....com/inetdl.exe
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...RdxIE601_de.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {70A51FE4-7ACE-CCA3-8EAB-CDCE25CD862D} - http://public.search...12/kjebjqgl.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.ibm.com/...ad/IbmEgath.cab
O16 - DPF: {7C559105-9ECF-42B8-B3F7-832E75EDD959} - http://www.xxxtoolba...006_regular.cab
O16 - DPF: {81F0C919-AB0B-4F5C-932D-5CEEF05879E9} (IITLoadCtrl Class) - https://locator.01co...p/iitloader.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelg...in/cortvrml.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtec...tall/isetup.cab
O16 - DPF: {91433D86-9F27-402C-B5E3-DEBDD122C339} - http://www.netvenda....l/de/games3.cab
O16 - DPF: {94118C19-B178-4E43-BBE8-0EFDBB391BDB} - http://www.sponsorad...sWebTelecom.cab
O16 - DPF: {9C691A33-7DDA-4C2F-BE4C-C176083F35CF} - http://www2.flingsto...00XP/bridge.cab
O16 - DPF: {9D614E8E-03AA-11D3-90FC-0040C7157029} (PDMSInstallerCtl Class) - http://www.pakdata.c...MSInstaller.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-downlo....cab?refid=4746
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {C7B05B62-C8D7-438C-840B-4994DAAA8EEE} - http://webpdp.gator....ndle37v0d15.cab
O16 - DPF: {CAAE28D1-ADCC-11D1-BD4D-004845401881} (Urdu98 Control) - http://www.pakdata.c.../urduplugin.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....sa/SymAData.cab
O16 - DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} (G.a3) - http://www.fastfind....03C02/setup.exe
O16 - DPF: {DBAE7000-01EC-4162-8FEB-8A27AC937CA0} - http://webpdp.gator....ndle43v2d26.cab
O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://www.pcpowersc...pcpowerscan.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundlewar...veX/DS3/DS3.cab
O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) - http://runonce.msn.c...tacceptlang.cab
O16 - DPF: {E8EDB60C-951E-4130-93DC-FAF1AD25F8E7} - http://cdn.climaxbuc...DistIOcrack.CAB
O16 - DPF: {EB6AFDAB-E16D-430B-A5EE-0408A12289DC} - http://download.medi...suitnetwork.cab
O16 - DPF: {EF58E341-49C3-4156-A3C4-5FFCA7C1EAB7} (EURAS_Portal.Gateway) - http://www.euras.com...ivex2/euras.CAB
O16 - DPF: {EF86873F-04C2-4A95-A373-5703C08EFC7B} - http://www.xxxtoolba...0006_cracks.cab
O16 - DPF: {F5192746-22D6-41BD-9D2D-1E75D14FBD3C} - http://216.65.38.226/crack.CAB
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.over...ildAppNonUS.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EF29FF8C-B1EA-4A05-B79B-91C0465D8EE9}: NameServer = 209.47.15.118,64.157.143.38,192.168.121.252,192.168.121.253
O23 - Service: BullGuard Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\BullGuard\BullGuard Scan Server\bdss.exe" /service (file missing)
O23 - Service: TridiaVNC Pro Connector To IAS (ConnectToIASConnector) - Unknown owner - C:\Program Files\TVNCPro\bin\connector.exe" -runService -connectInetAccess -silent 0 (file missing)
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\PROGRAM FILES\TELEDAT\de_serv.exe
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\SYSTEM32\GEARSEC.EXE
O23 - Service: Huey Server (HueyServer) - Unknown owner - C:\Program Files\Huey\HueyServ.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: PlanetDNS Client - Unknown owner - C:\Program Files\NewAce Corporation\PlanetRemote\pdnsc.exe (file missing)
O23 - Service: RemotelyAnywhere Maintenance Service (RAMaint) - 3am Labs Ltd. - C:\Program Files\RemotelyAnywhere\RaMaint.exe
O23 - Service: TridiaVNC Pro Connector Direct (RCConnector) - Unknown owner - C:\Program Files\TVNCPro\bin\connector.exe" -runService -silent 0 (file missing)
O23 - Service: TridiaVNC Pro Controller (RCController) - Unknown owner - C:\Program Files\TVNCPro\bin\processor.exe" -runService -silent 0 (file missing)
O23 - Service: RemotelyAnywhere - 3am Labs Ltd. - C:\Program Files\RemotelyAnywhere\RemotelyAnywhere.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\System32\r_server.exe" /service (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: SrvAdmin Security service (SrvAdmSrv) - HHD Software - C:\WINDOWS\System32\SrvAdmSrv.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe
O23 - Service: Tablet Service (TabletService) - Aiptek - C:\WINDOWS\System32\WT32EXE.EXE
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: TridiaFTP Server (TridiaFTPServer) - Tridia Corporation - C:\Program Files\TVNCPro\bin\ftpd.exe
O23 - Service: BullGuard Virus Shield (VSSERV) - Unknown owner - C:\Program Files\BullGuard\vsserv.exe" /service (file missing)
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC-unstable\WinVNC.exe" -service (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
O23 - Service: BullGuard Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\BullGuard\BullGuard Communicator\xcommsvr.exe" /service (file missing)
  • 0

#4
miekiemoes
Posted 14 May 2005 - 10:01 AM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
mnadeem,

You haven't done what i asked you to do.
You haven't uninstalled those programs I asked you, you haven't scanned with the new adaware SE, because it takes care of a lot in your log, and you haven't performed those online scans I asked you.. so please, can you do this?

It's with a reason I ask you to perform this. I know, it takes a while to scan and you want to get rid of this as soon as possible, but you have to understand, the more i will have you to delete manually afterwards, the more chance there is you'll make mistakes that can totally screw up your system. Your system is really really infected, that's why it is so important you perform my steps.

I'll copy and paste my instructions again:

Hello, you have a real nice collection on your system.
You really need to change your surfing habbits.

Uninstall via add/remove programs next:

AdTools Service
Admanager Controller
MyWay
ISTsvc
Istbar
NewDotNet (NewNet)
ShopAtHomeSelect
Freshdevices
Comet Cursor
IEPageHelper
Ebates_MoeMoneyMaker

REBOOT afterwards.

Download the latest version of Ad-Aware:
http://www.lavasoft....pport/download/

After installing AAW, and before running the program.
Please be sure to update the reference file following the instructions here:
http://www.lavahelp.net/howto/updref/

Reconfigure Ad-Aware for Full Scan:

Launch the program, and click on the Gear at the top of the start screen.

Click the 'Scanning' button.
Under Drives, Folders and Files, select 'Scan within Archives'.
Click 'Click here to select Drives + folders' and select your installed hard drives.

Under Memory & Registry, select all options.
Click the 'Advanced' button.
Under 'Log-file detail level', select all options.
Click the 'Tweaks' button.

Under 'Scanning Engine', select the following:
'Unload recognized processes during scanning.'
Under 'Cleaning Engine', select the following:
'Let Windows remove files in use after reboot.'
Click on 'Proceed' to save these Preferences.

Run the Ad-Aware scan and allow it to remove everything it finds and then REBOOT to allow it to finish.

* Perform an onlinescan with Kaspersky OnLine and/or  Bitdefender (select here autoclean) and let it delete everything it is finding.

Reboot again and post a new hijackthislog.


  • 0

#5
mnadeem
Posted 15 May 2005 - 01:50 AM

mnadeem

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts
i have done evey thing as you say but my systen hanged
then earlier stage redtore all came back .. so here is the log from aadware

Ad-Aware SE Build 1.05
Logfile Created on:Saturday, May 14, 2005 5:59:12 PM
Created with Ad-Aware SE Personal, free for private use.
Using definitions file:SE1R45 13.05.2005
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

References detected during the scan:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
180Solutions(TAC index:6):31 total references
AdDestroyer(TAC index:5):3 total references
Adsincontext(TAC index:6):137 total references
AltnetBDE(TAC index:4):38 total references
BargainBuddy(TAC index:8):359 total references
begin2search(TAC index:3):86 total references
BlazeFind(TAC index:5):17 total references
BookedSpace(TAC index:10):4 total references
BrilliantDigital(TAC index:6):15 total references
BroadCastPC(TAC index:7):3 total references
Claria(TAC index:7):19 total references
ClickSpring(TAC index:6):8 total references
CnsMin(TAC index:8):108 total references
CometSystems(TAC index:8):35 total references
Cydoor(TAC index:7):241 total references
DownloadWare(TAC index:8):12 total references
DyFuCA(TAC index:3):48 total references
Ebates MoneyMaker(TAC index:4):9 total references
EzuLa(TAC index:6):19 total references
Gigatech Superbar(TAC index:5):56 total references
Global Netcom Inc(TAC index:5):4 total references
HungryHands BHO(TAC index:3):1 total references
IBIS Toolbar(TAC index:5):71 total references
IGetNet(TAC index:8):10 total references
InternetDelivery(TAC index:5):6 total references
IPInsight(TAC index:7):23 total references
istbar(TAC index:7):65 total references
Lop(TAC index:7):10 total references
Malware.TopAntiSpyware(TAC index:7):9 total references
MediaCharger(TAC index:5):9 total references
MediaMotor(TAC index:8):3 total references
MoneyTree(TAC index:6):4 total references
MRU List(TAC index:0):30 total references
MyDailyHoroscope(TAC index:5):25 total references
Other(TAC index:5):11 total references
OverPro(TAC index:3):17 total references
Possible Browser Hijack attempt(TAC index:3):127 total references
PurityScan(TAC index:6):7 total references
Roings(TAC index:8):11 total references
SahAgent(TAC index:9):38 total references
SCBAR(TAC index:3):15 total references
Search Relevancy(TAC index:5):2 total references
searchwww.hijacker(TAC index:8):4 total references
Security iGuard(TAC index:9):2 total references
ShopNav Hijacker(TAC index:8):4 total references
StatBlaster(TAC index:8):2 total references
Tracking Cookie(TAC index:3):88 total references
UCSearch(TAC index:6):20 total references
UpdateLoader Malware(TAC index:5):3 total references
WebDialer(TAC index:5):4 total references
Win32.TrojanDownloader.TSUpdate(TAC index:6):1 total references
WindUpdates(TAC index:8):12 total references
VirtualBouncer(TAC index:5):4 total references
Virtumonde(TAC index:10):5 total references
VX2(TAC index:10):84 total references
Zango(TAC index:6):1 total references
ZipclixToolbar(TAC index:3):18 total references
ZyncosMark(TAC index:3):11 total references
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

Definition File:
=========================
Definitions File Loaded:
Reference Number : SE1R8 13.09.2004
Internal build : 12
File location : C:\PROGRA~1\Lavasoft\AD-AWA~1\defs.ref
File size : 344723 Bytes
Total size : 1092481 Bytes
Signature data size : 1068971 Bytes
Reference data size : 22998 Bytes
Signatures total : 30122
Fingerprints total : 154
Fingerprints size : 7129 Bytes
Target categories : 15
Target families : 560

5-14-2005 5:37:33 PM Performing WebUpdate...

Installing Update...
Definitions File Loaded:
Reference Number : SE1R45 13.05.2005
Internal build : 53
File location : C:\PROGRA~1\Lavasoft\AD-AWA~1\defs.ref
File size : 473168 Bytes
Total size : 1430575 Bytes
Signature data size : 1399518 Bytes
Reference data size : 30545 Bytes
Signatures total : 39932
Fingerprints total : 881
Fingerprints size : 30173 Bytes
Target categories : 15
Target families : 672


5-14-2005 5:37:40 PM Success
Update successfully downloaded and installed.


Memory + processor status:
==========================
Number of processors : 1
Processor architecture : Non Intel
Memory available:19 %
Total physical memory:523760 kb
Available physical memory:96120 kb
Total page file size:2066376 kb
Available on page file:1632408 kb
Total virtual memory:2097024 kb
Available virtual memory:2017732 kb
OS:Microsoft Windows XP Professional Service Pack 2 (Build 2600)

Ad-Aware SE Settings
===========================
Set : Search for negligible risk entries
Set : Safe mode (always request confirmation)
Set : Scan active processes
Set : Scan registry
Set : Deep-scan registry
Set : Scan my IE Favorites for banned URLs
Set : Scan within archives
Set : Scan my Hosts file

Extended Ad-Aware SE Settings
===========================
Set : Unload recognized processes & modules during scan
Set : Scan registry for all users instead of current user only
Set : Always try to unload modules before deletion
Set : During removal, unload Explorer and IE if necessary
Set : Let Windows remove files in use at next reboot
Set : Delete quarantined objects after restoring
Set : Include basic Ad-Aware settings in log file
Set : Include additional Ad-Aware settings in log file
Set : Include reference summary in log file
Set : Include alternate data stream details in log file
Set : Play sound at scan completion if scan locates critical objects


5/14/2005 5:59:13 PM - Scan started. (Full System Scan)

MRU List Object Recognized!
Location: : C:\Documents and Settings\fnadeem\recent
Description : list of recently opened documents


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct3d


MRU List Object Recognized!
Location: : software\microsoft\direct3d\mostrecentapplication
Description : most recent application to use microsoft direct X


MRU List Object Recognized!
Location: : software\microsoft\directdraw\mostrecentapplication
Description : most recent application to use microsoft directdraw


MRU List Object Recognized!
Location: : S-1-5-21-448539723-152049171-854245398-1016\software\microsoft\internet explorer
Description : last download directory used in microsoft internet explorer


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-18\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : S-1-5-21-448539723-152049171-854245398-1016\software\microsoft\internet explorer\typedurls
Description : list of recently entered addresses in microsoft internet explorer


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\mediaplayer\preferences
Description : last cd record path used in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-18\software\microsoft\mediaplayer\preferences
Description : last cd record path used in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-448539723-152049171-854245398-1016\software\microsoft\mediaplayer\preferences
Description : last cd record path used in microsoft windows media player


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-18\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-19\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-20\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : S-1-5-21-448539723-152049171-854245398-1016\software\microsoft\mediaplayer\preferences
Description : last playlist loaded in microsoft windows media player


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\applets\regedit
Description : last key accessed using the microsoft registry editor


MRU List Object Recognized!
Location: : S-1-5-18\software\microsoft\windows\currentversion\applets\regedit
Description : last key accessed using the microsoft registry editor


MRU List Object Recognized!
Location: : S-1-5-21-448539723-152049171-854245398-1016\software\microsoft\windows\currentversion\applets\regedit
Description : last key accessed using the microsoft registry editor


MRU List Object Recognized!
Location: : S-1-5-21-448539723-152049171-854245398-1016\software\microsoft\windows\currentversion\explorer\comdlg32\lastvisitedmru
Description : list of recent programs opened


MRU List Object Recognized!
Location: : S-1-5-21-448539723-152049171-854245398-1016\software\microsoft\windows\currentversion\explorer\comdlg32\opensavemru
Description : list of recently saved files, stored according to file extension


MRU List Object Recognized!
Location: : S-1-5-21-448539723-152049171-854245398-1016\software\microsoft\windows\currentversion\explorer\recentdocs
Description : list of recent documents opened


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in start | run


MRU List Object Recognized!
Location: : S-1-5-18\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in start | run


MRU List Object Recognized!
Location: : S-1-5-21-448539723-152049171-854245398-1016\software\microsoft\windows\currentversion\explorer\runmru
Description : mru list for items opened in start | run


MRU List Object Recognized!
Location: : S-1-5-21-448539723-152049171-854245398-1016\software\nvidia corporation\global\nview\windowmanagement
Description : nvidia nview cached application window positions


MRU List Object Recognized!
Location: : .DEFAULT\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-18\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-20\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


MRU List Object Recognized!
Location: : S-1-5-21-448539723-152049171-854245398-1016\software\microsoft\windows media\wmsdk\general
Description : windows media sdk


Listing running processes
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

#:1 [smss.exe]
FilePath : \SystemRoot\System32\
ProcessID : 668
ThreadCreationTime : 5/14/2005 3:02:07 PM
BasePriority : Normal


#:2 [winlogon.exe]
FilePath : \??\C:\WINDOWS\SYSTEM32\
ProcessID : 772
ThreadCreationTime : 5/14/2005 3:02:17 PM
BasePriority : High


#:3 [services.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 816
ThreadCreationTime : 5/14/2005 3:02:17 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Services and Controller app
InternalName : services.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : services.exe

#:4 [lsass.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 844
ThreadCreationTime : 5/14/2005 3:02:17 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : LSA Shell (Export Version)
InternalName : lsass.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : lsass.exe
Warning! Virtumonde Object found in memory(C:\WINDOWS\System32\inetadpt.dll)

Virtumonde Object Recognized!
Type : Process
Data : inetadpt.dll
Category : Malware
Comment :
Object : C:\WINDOWS\System32\
FileVersion : 0, 403, 29, 1705
ProductVersion : 1, 1, 0, 0
ProductName : TargetSoft
InternalName : inetadpt.dll
LegalCopyright : Copyright 2003
OriginalFilename : inetadpt.dll
Comments : TargetSoft

Warning! "C:\WINDOWS\system32\lsass.exe"Process could not be terminated!

#:5 [svchost.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1028
ThreadCreationTime : 5/14/2005 3:02:21 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:6 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1152
ThreadCreationTime : 5/14/2005 3:02:21 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:7 [incdsrv.exe]
FilePath : C:\Program Files\Ahead\InCD\
ProcessID : 1172
ThreadCreationTime : 5/14/2005 3:02:21 PM
BasePriority : Normal
FileVersion : 4, 3, 11, 1
ProductVersion : 4, 3, 11, 1
ProductName : Nero AG incdsrv
CompanyName : Nero AG
FileDescription : incdsrv
InternalName : incdsrv
LegalCopyright : Copyright 1995-2005 Nero AG and its licensors. All Rights Reserved.
LegalTrademarks : InCD is a trademark of Nero AG
OriginalFilename : incdsrv.exe

#:8 [smc.exe]
FilePath : C:\Program Files\Sygate\SPF\
ProcessID : 1304
ThreadCreationTime : 5/14/2005 3:02:23 PM
BasePriority : Normal
FileVersion : 5.6.00.2808
ProductVersion : 5.6.00.2808
ProductName : Sygate® Security Agent and Personal Firewall
CompanyName : Sygate Technologies, Inc.
FileDescription : Sygate Agent Firewall
InternalName : Smc
LegalCopyright : Copyright © 1999 - 2004 Sygate Technologies, Inc. All rights reserved.
OriginalFilename : Smc.EXE

#:9 [spoolsv.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 1624
ThreadCreationTime : 5/14/2005 3:02:24 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Spooler SubSystem App
InternalName : spoolsv.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : spoolsv.exe
Warning! VX2 Object found in memory(C:\WINDOWS\system32\DrPMon.dll)

VX2 Object Recognized!
Type : Process
Data : DrPMon.dll
Category : Malware
Comment :
Object : C:\WINDOWS\system32\
FileVersion : 1, 0, 0, 5
ProductVersion : 1, 0, 0, 0
ProductName : DrPMon PrintMonitor
CompanyName : Direct Revenue
FileDescription : DrPMon PrintMonitor
InternalName : DrPMon
LegalCopyright : Copyright © 2005
OriginalFilename : DrPMon.dll


#:10 [gbpoll.exe]
FilePath : C:\Program Files\Roxio\GoBack\
ProcessID : 520
ThreadCreationTime : 5/14/2005 3:02:33 PM
BasePriority : Normal


#:11 [gearsec.exe]
FilePath : C:\WINDOWS\SYSTEM32\
ProcessID : 540
ThreadCreationTime : 5/14/2005 3:02:33 PM
BasePriority : Normal
FileVersion : 1, 0, 0, 6
ProductVersion : 1, 0, 0, 6
ProductName : gearsec
CompanyName : GEAR Software
FileDescription : gearsec
InternalName : gearsec
LegalCopyright : Copyright © 2001-2003 GEAR Software
OriginalFilename : gearsec.exe

#:12 [hueyserv.exe]
FilePath : C:\Program Files\Huey\
ProcessID : 556
ThreadCreationTime : 5/14/2005 3:02:33 PM
BasePriority : Normal


#:13 [inetinfo.exe]
FilePath : C:\WINDOWS\System32\inetsrv\
ProcessID : 588
ThreadCreationTime : 5/14/2005 3:02:34 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Internet Information Services
CompanyName : Microsoft Corporation
FileDescription : Internet Information Services
InternalName : INETINFO.EXE
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : INETINFO.EXE

#:14 [nvsvc32.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 728
ThreadCreationTime : 5/14/2005 3:02:35 PM
BasePriority : Normal
FileVersion : 6.14.10.5216
ProductVersion : 6.14.10.5216
ProductName : NVIDIA Driver Helper Service, Version 52.16
CompanyName : NVIDIA Corporation
FileDescription : NVIDIA Driver Helper Service, Version 52.16
InternalName : NVSVC
LegalCopyright : © NVIDIA Corporation. All rights reserved.
OriginalFilename : nvsvc32.exe

#:15 [ramaint.exe]
FilePath : C:\Program Files\RemotelyAnywhere\
ProcessID : 1316
ThreadCreationTime : 5/14/2005 3:02:45 PM
BasePriority : Normal
FileVersion : 5.33.435
ProductVersion : 5.33.435
ProductName : RemotelyAnywhere
CompanyName : 3am Labs Ltd.
FileDescription : RemotelyAnywhere Maintenance Service
InternalName : RAMaint
LegalCopyright : Copyright © 1998-2004 3am Labs Ltd. All rights reserved.
OriginalFilename : ramaint.exe

#:16 [remotelyanywhere.exe]
FilePath : C:\Program Files\RemotelyAnywhere\
ProcessID : 1724
ThreadCreationTime : 5/14/2005 3:02:50 PM
BasePriority : Normal
FileVersion : 5.33.435
ProductVersion : 5.33.435
ProductName : RemotelyAnywhere
CompanyName : 3am Labs Ltd.
FileDescription : RemotelyAnywhere
InternalName : RemotelyAnywhere
LegalCopyright : Copyright © 1998-2004 3am Labs Ltd. All rights reserved.
OriginalFilename : RemotelyAnywhere.exe

#:17 [r_server.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 1764
ThreadCreationTime : 5/14/2005 3:02:50 PM
BasePriority : Normal
FileVersion : 2, 2, 0, 0
ProductVersion : 2, 2, 0, 0
ProductName : Remote Administrator
FileDescription : Remote control tool
InternalName : R_server
LegalCopyright : Software and all its components Copyright © 1999-2004 Dmitri Znosko. All rights reserved.
LegalTrademarks : Radmin, Remote Administrator
OriginalFilename : R_server.exe
Comments : Server part

#:18 [tcpsvcs.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2124
ThreadCreationTime : 5/14/2005 3:02:54 PM
BasePriority : Normal
FileVersion : 5.1.2600.0 (xpclient.010817-1148)
ProductVersion : 5.1.2600.0
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : TCP/IP Services Application
InternalName : TCPSVCS.EXE
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : TCPSVCS.EXE

#:19 [snmp.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2152
ThreadCreationTime : 5/14/2005 3:02:54 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : SNMP Service
InternalName : snmp.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : snmp.exe

#:20 [srvadmsrv.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2168
ThreadCreationTime : 5/14/2005 3:02:54 PM
BasePriority : Normal
FileVersion : 1, 0, 0, 8
ProductVersion : 1, 0, 0, 2
ProductName : HHD Service Administrator and SafeLaunch
CompanyName : HHD Software
FileDescription : HHD SrvAdmin Security service
InternalName : SrvAdmSrv
LegalCopyright : Copyright © 2000 by HHD Software
OriginalFilename : SrvAdmSrv.exe

#:21 [svchost.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2200
ThreadCreationTime : 5/14/2005 3:02:55 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Generic Host Process for Win32 Services
InternalName : svchost.exe
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : svchost.exe

#:22 [wt32exe.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2308
ThreadCreationTime : 5/14/2005 3:02:55 PM
BasePriority : Realtime
FileVersion : 1, 5, 0, 0
ProductVersion : 1, 0, 0, 1
ProductName : Aiptek wt32exe
CompanyName : Aiptek
FileDescription : wt32exe
InternalName : wt32exe
LegalCopyright : Copyright c 2000
OriginalFilename : wt32exe.exe

#:23 [wfxsvc.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2584
ThreadCreationTime : 5/14/2005 3:02:59 PM
BasePriority : Normal
FileVersion : 9.02.98.1128
ProductVersion : 9.02
ProductName : Symantec WinFax PRO
CompanyName : Symantec Corporation
FileDescription : Symantec WinFax PRO NT Service
InternalName : WFXSVC
LegalCopyright : Copyright © Symantec Corporation. 1990-1998
LegalTrademarks : Symantec WinFax PRO ® is a registered trademark of Symantec Corporation

#:24 [winvnc.exe]
FilePath : C:\Program Files\TightVNC-unstable\
ProcessID : 2644
ThreadCreationTime : 5/14/2005 3:02:59 PM
BasePriority : Normal
FileVersion : 1, 3, 0, 5
ProductVersion : 1, 3, 0, 5
ProductName : TightVNC Win32 Server
CompanyName : Constantin Kaplinsky
FileDescription : TightVNC Win32 Server
InternalName : WinVNC
LegalCopyright : Copyright © 1998-2004 [many holders]
OriginalFilename : WinVNC.exe
Comments : Based on TridiaVNC by Tridia Corporation

#:25 [winvnc4.exe]
FilePath : C:\Program Files\RealVNC\VNC4\
ProcessID : 2692
ThreadCreationTime : 5/14/2005 3:03:01 PM
BasePriority : Normal
FileVersion : 4.0
ProductVersion : 4.0
ProductName : VNC Server 4.0
CompanyName : RealVNC Ltd.
FileDescription : VNC Server for Win32
InternalName : WinVNC 4.0
LegalCopyright : Copyright © RealVNC Ltd. 2002-2004
LegalTrademarks : RealVNC
OriginalFilename : winvnc4.exe

#:26 [xcommsvr.exe]
FilePath : C:\Program Files\Common Files\BullGuard\BullGuard Communicator\
ProcessID : 2724
ThreadCreationTime : 5/14/2005 3:03:02 PM
BasePriority : Normal
FileVersion : 1, 7, 0, 6
ProductVersion : 1, 7, 0, 6
ProductName : Softwin BullGuard Communicator Server
CompanyName : Softwin
FileDescription : BullGuard Communicator Server
InternalName : XCOMMSVR
LegalCopyright : Copyright © 2003-2004 Softwin
OriginalFilename : xcommsvr.exe
Comments : Manages communication between BitDefender components

#:27 [mqsvc.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 2756
ThreadCreationTime : 5/14/2005 3:03:02 PM
BasePriority : Normal
FileVersion : 5.01.1108
ProductVersion : 5.01.1108
ProductName : Microsoft Message Queue
CompanyName : Microsoft Corporation
FileDescription : Message Queuing Service
LegalCopyright : Copyright © Microsoft Corporation. 1981-2000
LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation. Windows NT™ is a trademark of Microsoft Corporation
OriginalFilename : MQSVC.EXE
Warning! Virtumonde Object found in memory(C:\WINDOWS\System32\inetadpt.dll)

Virtumonde Object Recognized!
Type : Process
Data : inetadpt.dll
Category : Malware
Comment :
Object : C:\WINDOWS\System32\
FileVersion : 0, 403, 29, 1705
ProductVersion : 1, 1, 0, 0
ProductName : TargetSoft
InternalName : inetadpt.dll
LegalCopyright : Copyright 2003
OriginalFilename : inetadpt.dll
Comments : TargetSoft

Warning! "C:\WINDOWS\System32\mqsvc.exe"Process could not be terminated!

#:28 [bdss.exe]
FilePath : C:\Program Files\Common Files\BullGuard\BullGuard Scan Server\
ProcessID : 2808
ThreadCreationTime : 5/14/2005 3:03:03 PM
BasePriority : Normal


#:29 [mqtgsvc.exe]
FilePath : C:\WINDOWS\System32\
ProcessID : 3188
ThreadCreationTime : 5/14/2005 3:03:07 PM
BasePriority : Normal
FileVersion : 5.01.1108
ProductVersion : 5.01.1108
ProductName : Microsoft Message Queue
CompanyName : Microsoft Corporation
FileDescription : Windows NT MSMQ Trigger Service
LegalCopyright : Copyright © Microsoft Corporation. 1981-2000
LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation. Windows NT™ is a trademark of Microsoft Corporation
OriginalFilename : QMTGSVC.EXE

#:30 [vsserv.exe]
FilePath : C:\Program Files\BullGuard\
ProcessID : 3440
ThreadCreationTime : 5/14/2005 3:03:15 PM
BasePriority : Normal


#:31 [jusched.exe]
FilePath : C:\Program Files\Java\j2re1.4.2_05\bin\
ProcessID : 3480
ThreadCreationTime : 5/14/2005 3:03:17 PM
BasePriority : Normal


#:32 [popupinspector.exe]
FilePath : C:\Program Files\GIANT Company Software inc\PopUp Inspector\
ProcessID : 3980
ThreadCreationTime : 5/14/2005 3:03:27 PM
BasePriority : Normal
FileVersion : 1.05.0432
ProductVersion : 1.05.0432
ProductName : PopUpInspector
CompanyName : GIANT Company Software inc.
InternalName : PopUpInspector
OriginalFilename : PopUpInspector.exe

#:33 [mwsoemon.exe]
FilePath : C:\PROGRA~1\MyWay\bar\2.bin\
ProcessID : 384
ThreadCreationTime : 5/14/2005 3:03:37 PM
BasePriority : Normal
FileVersion : 1,2,0,4
ProductVersion : 1,2,0,4
ProductName : My Way Email Plugin
CompanyName : MyWay.com
FileDescription : My Way Email Plugin
InternalName : My Way Email Plugin
LegalCopyright : Copyright © 2003-2004 MyWay.com
OriginalFilename : mwsoemon.exe

#:34 [msnappau.exe]
FilePath : C:\Program Files\MSN Apps\Updater\01.02.3000.1001\de\
ProcessID : 660
ThreadCreationTime : 5/14/2005 3:03:38 PM
BasePriority : Normal


#:35 [kazaa.kpp]
FilePath : C:\Program Files\Kazaa Lite\
ProcessID : 2944
ThreadCreationTime : 5/14/2005 3:03:53 PM
BasePriority : Normal
FileVersion : 2, 0, 2, 0
ProductVersion : 2, 0, 2, 0
ProductName : Kazaa Lite
FileDescription : Kazaa Lite
InternalName : kazaa
LegalCopyright : Nothing is copyrighted in the world of Kazaa
LegalTrademarks : No
OriginalFilename : Kazaa.EXE
Comments : Kazaa Lite rocks!

#:36 [iexplore.exe]
FilePath : C:\Program Files\Internet Explorer\
ProcessID : 3628
ThreadCreationTime : 5/14/2005 3:05:13 PM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Internet Explorer
InternalName : iexplore
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : IEXPLORE.EXE

#:37 [rundll32.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 288
ThreadCreationTime : 5/14/2005 3:05:26 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Run a DLL as an App
InternalName : rundll
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : RUNDLL.EXE

#:38 [msmsgs.exe]
FilePath : C:\Program Files\Messenger\
ProcessID : 2908
ThreadCreationTime : 5/14/2005 3:05:33 PM
BasePriority : Normal
FileVersion : 4.7.3001
ProductVersion : Version 4.7.3001
ProductName : Messenger
CompanyName : Microsoft Corporation
FileDescription : Windows Messenger
InternalName : msmsgs
LegalCopyright : Copyright © Microsoft Corporation 2004
LegalTrademarks : Microsoft® is a registered trademark of Microsoft Corporation in the U.S. and/or other countries.
OriginalFilename : msmsgs.exe

#:39 [avant.exe]
FilePath : C:\Program Files\Avant Browser\
ProcessID : 5248
ThreadCreationTime : 5/14/2005 3:11:26 PM
BasePriority : Normal
FileVersion : 10.0.0.167
ProductVersion : 10.0
ProductName : Avant Browser
FileDescription : Avant Browser

#:40 [hijackthis.exe]
FilePath : C:\Documents and Settings\fnadeem\Desktop\New Folder\
ProcessID : 3816
ThreadCreationTime : 5/14/2005 3:23:27 PM
BasePriority : Normal
FileVersion : 1.99.0001
ProductVersion : 1.99.0001
ProductName : HijackThis
CompanyName : Soeperman Enterprises Ltd.
FileDescription : HijackThis
InternalName : HijackThis
LegalCopyright : Freeware
OriginalFilename : HijackThis.exe
Comments : Version history is in Help section

#:41 [ad-aware.exe]
FilePath : C:\PROGRA~1\Lavasoft\AD-AWA~1\
ProcessID : 4152
ThreadCreationTime : 5/14/2005 3:36:50 PM
BasePriority : Normal
FileVersion : 6.2.0.206
ProductVersion : VI.Second Edition
ProductName : Lavasoft Ad-Aware SE
CompanyName : Lavasoft Sweden
FileDescription : Ad-Aware SE Core application
InternalName : Ad-Aware.exe
LegalCopyright : Copyright © Lavasoft Sweden
OriginalFilename : Ad-Aware.exe
Comments : All Rights Reserved

#:42 [ceewbw.exe]
FilePath : c:\windows\system32\
ProcessID : 3048
ThreadCreationTime : 5/14/2005 3:38:50 PM
BasePriority : Normal
FileVersion : 1, 0, 7, 1
ProductVersion : 0, 0, 7, 0
ProductName : TODO: <Product name>
CompanyName : TODO: <Company name>
FileDescription : TODO: <File description>
LegalCopyright : TODO: © <Company name>. All rights reserved.

#:43 [ctfmon.exe]
FilePath : C:\WINDOWS\system32\
ProcessID : 4164
ThreadCreationTime : 5/14/2005 3:44:23 PM
BasePriority : Normal
FileVersion : 5.1.2600.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 5.1.2600.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : CTF Loader
InternalName : CTFMON
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : CTFMON.EXE

#:44 [explorer.exe]
FilePath : C:\WINDOWS\
ProcessID : 3436
ThreadCreationTime : 5/14/2005 3:55:47 PM
BasePriority : Normal
FileVersion : 6.00.2900.2180 (xpsp_sp2_rtm.040803-2158)
ProductVersion : 6.00.2900.2180
ProductName : Microsoft® Windows® Operating System
CompanyName : Microsoft Corporation
FileDescription : Windows Explorer
InternalName : explorer
LegalCopyright : © Microsoft Corporation. All rights reserved.
OriginalFilename : EXPLORER.EXE
Warning! BlazeFind Object found in memory(C:\Windows\System32\omniband.dll)

BlazeFind Object Recognized!
Type : Process
Data : omniband.dll
Category : Malware
Comment :
Object : C:\Windows\System32\
FileVersion : 1, 0, 0, 1
ProductVersion : 1, 0, 0, 1
ProductName : WindowsSaBand Module
FileDescription : WindowsSaBand Module
InternalName : WindowsSaBand
LegalCopyright : Copyright 2004
OriginalFilename : WindowsSaBand.DLL

Warning! Malware.TopAntiSpyware Object found in memory(C:\WINDOWS\System32\srpcsrv32.dll)

Malware.TopAntiSpyware Object Recognized!
Type : Process
Data : srpcsrv32.dll
Category : Malware
Comment :
Object : C:\WINDOWS\System32\


Warning! Malware.TopAntiSpyware Object found in memory(C:\WINDOWS\System32\spoolsrv32.exe)

Malware.TopAntiSpyware Object Recognized!
Type : Process
Data : spoolsrv32.exe
Category : Malware
Comment :
Object : C:\WINDOWS\System32\


"C:\WINDOWS\System32\spoolsrv32.exe"Process terminated successfully

Memory scan result:
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
New critical objects: 1
Objects found so far: 36


Started registry scan
»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

begin2search Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{16b238d5-80de-47ce-8f17-b3ece2c2248d}

begin2search Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{16b238d5-80de-47ce-8f17-b3ece2c2248d}
Value :

begin2search Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{57cb9b97-9ff9-4c87-88a4-56a867ffc95e}

begin2search Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{57cb9b97-9ff9-4c87-88a4-56a867ffc95e}
Value :

begin2search Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{227d1e33-ead4-4ace-be32-4acfaad072dd}

begin2search Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : var3.rsynchlpr

begin2search Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : var3.rsynchlpr
Value :

begin2search Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : var3.rsynchlpr.1

begin2search Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : var3.rsynchlpr.1
Value :

BlazeFind Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{14d2cffe-6656-4bec-8d9e-dde6f2d4eae5}

BlazeFind Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{14d2cffe-6656-4bec-8d9e-dde6f2d4eae5}
Value :

BlazeFind Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{0b3569d7-1ea4-4cba-ac13-225902619789}

BlazeFind Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : windowssaband.winsaband

BlazeFind Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : windowssaband.winsaband
Value :

BlazeFind Object Recognized!
Type : Regkey
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : windowssaband.winsaband.1

BlazeFind Object Recognized!
Type : RegValue
Data :
Category : Malware
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : windowssaband.winsaband.1
Value :

BrilliantDigital Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{3eec42b5-fb94-40d3-a588-bb54b383a7cb}

BrilliantDigital Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{3eec42b5-fb94-40d3-a588-bb54b383a7cb}
Value :

BrilliantDigital Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{5aaa506a-ceb1-441a-9f05-43fae6b8a495}

BrilliantDigital Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{5aaa506a-ceb1-441a-9f05-43fae6b8a495}
Value :

CnsMin Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : assist.easyassist

CnsMin Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : assist.easyassist
Value :

CnsMin Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : assist.easyassist.1

CnsMin Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : assist.easyassist.1
Value :

CnsMin Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : cesweb.web

CnsMin Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : cesweb.web
Value :

CnsMin Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : cesweb.web.1

CnsMin Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : cesweb.web.1
Value :

CnsMin Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{1b0e7716-898e-48cc-9690-4e338e8de1d3}

CnsMin Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{1b0e7716-898e-48cc-9690-4e338e8de1d3}
Value :

CnsMin Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{6231d512-e4a4-4df2-be62-5b8f0ee348ef}

CnsMin Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{6231d512-e4a4-4df2-be62-5b8f0ee348ef}
Value :

CnsMin Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{b83fc273-3522-4cc6-92ec-75cc86678da4}

CnsMin Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{b83fc273-3522-4cc6-92ec-75cc86678da4}
Value :

CnsMin Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : cnshelper.ch

CnsMin Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : cnshelper.ch
Value :

CnsMin Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : cnshelper.ch.1

CnsMin Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : cnshelper.ch.1
Value :

CnsMin Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : cnsminhk.cnshook

CnsMin Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : cnsminhk.cnshook
Value :

CnsMin Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : cnsminhk.cnshook.1

CnsMin Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : cnsminhk.cnshook.1
Value :

CnsMin Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{1bb0abbe-2d95-4847-b9d8-6f90de3714c1}

CnsMin Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{1bb0abbe-2d95-4847-b9d8-6f90de3714c1}
Value :

CnsMin Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{924f5b3a-7a27-484a-b873-e855c9708667}

CnsMin Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{924f5b3a-7a27-484a-b873-e855c9708667}
Value :

CnsMin Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{df692509-d9ef-48a0-9cd0-3aa5b81f6f68}

CnsMin Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : interface\{df692509-d9ef-48a0-9cd0-3aa5b81f6f68}
Value :

CnsMin Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{0c618dcf-cfbd-448e-8ba0-c49a2cdfa2a7}

CnsMin Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{19069804-2cf0-4357-b696-ba6e9aad99ef}

CnsMin Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{a5adeae7-a8b4-4f94-9128-bf8d8db5e927}

CnsMin Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : typelib\{aab6bce3-1df6-4930-9b14-9ca79dc8c267}

CometSystems Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{16bc6464-196a-4bab-a14b-f69f8a0a60f7}

CometSystems Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{16bc6464-196a-4bab-a14b-f69f8a0a60f7}
Value :

CometSystems Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{16bc6464-196a-4bab-a14b-f69f8a0a60f7}
Value : AppID

CometSystems Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{197ab1d7-a7dd-4c86-a938-1fcc0db21b85}

CometSystems Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{197ab1d7-a7dd-4c86-a938-1fcc0db21b85}
Value :

CometSystems Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{f59c663d-e891-492c-86e3-0758c71885c2}

CometSystems Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : clsid\{f59c663d-e891-492c-86e3-0758c71885c2}
Value :

CometSystems Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : cssecurity.htmlsecurity

CometSystems Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : cssecurity.htmlsecurity
Value :

CometSystems Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : cssecurity.htmlsecurity.1

CometSystems Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : cssecurity.htmlsecurity.1
Value :

CometSystems Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : dmproxy.dmproxyctl

CometSystems Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : dmproxy.dmproxyctl
Value :

CometSystems Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : dmproxy.dmproxyctl.1

CometSystems Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : dmproxy.dmproxyctl.1
Value :

CometSystems Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : dmserver.dmnotify

CometSystems Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : dmserver.dmnotify
Value :

CometSystems Object Recognized!
Type : Regkey
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
Object : dmserver.dmnotify.1

CometSystems Object Recognized!
Type : RegValue
Data :
Category : Data Miner
Comment :
Rootkey : HKEY_CLASSES_ROOT
  • 0

#6
miekiemoes
Posted 15 May 2005 - 02:58 AM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP

i have done evey thing as you say but my systen hanged
then earlier stage redtore all came back


Ofcourse if you perform system restore, it all comes back!!
Please don't perform it!! Otherwise this really wont work.


Ok, we'll have to try this again, I'm going to add some extra steps now..
We're going to perform this in safe mode, for better measure.
Please follow all the next steps in the right order

First, we are going to flush your systemrestore-points, because I've seen a lot of cases where a lot of scanners crash on that.
Note: this will delete all your system restore points and malware that were present in it.
How to disable system restore in XP
Reboot.. and after rebooting, enable it again and create a new systemrestorepoint.

* Download and install Ccleaner: http://www.ccleaner.com/
Don't use it yet!

* Please download ewido:
http://www.ewido.net/en/download/
Let it update, but don't let it scan yet!!

* Reboot into Safe Mode`:
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Start Ccleaner and click Run Cleaner.

* Still in safe mode, perform a full scan with ewido and let it delete everything it is finding!
When done, you'll get the option to make a log and save it.
So save it because I'll need it later.

* Run a full scan with Adaware SE again and let it delete everything it is finding!

Reboot back to normal mode and post a new hijackthislog together with the log from ewido.
  • 0

#7
mnadeem
Posted 15 May 2005 - 04:44 AM

mnadeem

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts
ok going in safemode here is new log
Logfile of HijackThis v1.99.1
Scan saved at 12:36:16 PM, on 5/15/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\WINDOWS\SYSTEM32\GEARSEC.EXE
C:\Program Files\Huey\HueyServ.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\Program Files\RemotelyAnywhere\RaMaint.exe
C:\Program Files\RemotelyAnywhere\RemotelyAnywhere.exe
C:\WINDOWS\System32\r_server.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\SrvAdmSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WT32EXE.EXE
C:\WINDOWS\System32\WFXSVC.EXE
C:\Program Files\TightVNC-unstable\WinVNC.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Common Files\BullGuard\BullGuard Communicator\xcommsvr.exe
C:\WINDOWS\System32\mqsvc.exe
C:\Program Files\Common Files\BullGuard\BullGuard Scan Server\bdss.exe
C:\Program Files\BullGuard\vsserv.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\Explorer.EXE
c:\windows\system32\brzwqtp.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\SAMSUNG\FW LiveUpdate\Liveupdate.exe
C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\Program Files\3B Software\Windows Registry Repair Pro\Windows Registry Repair Pro.exe
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\WINDOWS\system32\tblmouse.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\shicoxp.exe
C:\Program Files\SMSC\Seticon.exe
C:\Program Files\RemotelyAnywhere\ragui.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\RAM Idle\RAM_XP.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe
C:\program files\umsd tools\umsd.exe
C:\PROGRA~1\MyWay\bar\2.bin\mwsoemon.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\de\msnappau.exe
C:\windows\system32\msdmxm.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\Blue Haven Media\KaZooM\KaZooM.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\WINDOWS\System32\svchost.exe
C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
C:\Program Files\Kazaa Lite\kazaa.kpp
C:\Program Files\Huey\HueyController.exe
C:\WINDOWS\system32\UMonit2K.exe
C:\Program Files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe
C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe
C:\Program Files\eDonkey2000\edonkey2000.exe
C:\PROGRA~1\DATACA~1\FLashKsk.exe
C:\WINDOWS\SPMSMON.EXE
C:\windows\system32\dxvid.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\PROGRA~1\ICQ\ICQ.exe
C:\Documents and Settings\fnadeem\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_BAND_SEARCHBAR_HTML
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Windows\System32\wsaupdater.exe,
O2 - BHO: 12Ghosts Popup-Killer - {00000000-0007-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Shareaza Web Download Hook - {0EEDB912-C5FA-486F-8334-57288578C627} - C:\Program Files\Shareaza\Plugins\RazaWebHook.dll
O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINDOWS\system32\rsyncmon.dll
O2 - BHO: TBMouseGuestures Class - {3614926A-225F-4E00-8A1E-1D3095547FC8} - C:\Program Files\ToolButton\MouseGestures.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: (no name) - {B9BB810E-3736-4F12-A78E-227C6D963E19} - C:\WINDOWS\System32\dpucdll.dll
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\de\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\ycomp5_5_7_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\de\msntb.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: 12-Popup - {00000000-0008-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Name of App] C:\Program Files\SAMSUNG\FW LiveUpdate\Liveupdate.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\system32\bridge.dll",Load
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [XeroxScannerDaemon] C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TVNCPro\bin\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\Windows Registry Repair Pro.exe -X
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TBLFUNC] tblmouse.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [shicoxp] C:\WINDOWS\shicoxp.exe
O4 - HKLM\..\Run: [SetIcon] C:\Program Files\SMSC\Seticon.exe
O4 - HKLM\..\Run: [RemotelyAnywhere GUI] "C:\Program Files\RemotelyAnywhere\ragui.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RDesktop] "C:\PROGRA~1\01COM~1\I'MINT~1\BIN\rdesktop.exe" -servicehelper
O4 - HKLM\..\Run: [RCController] "C:\Program Files\TVNCPro\bin\processor.exe" -userLogin
O4 - HKLM\..\Run: [RCConnector] "C:\Program Files\TVNCPro\bin\connector.exe" -userLogin
O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\RAM Idle\RAM_XP.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PopUpInspector.exe] "C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe"
O4 - HKLM\..\Run: [PLoader] c:\program files\umsd tools\umsd.exe sys_auto_run C:\Program Files\UMSD Tools
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MyWay\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [mswspl] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\de\msnappau.exe"
O4 - HKLM\..\Run: [Msdmxm] c:\windows\system32\msdmxm.exe /nocomm
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [KaZooM] C:\Program Files\Blue Haven Media\KaZooM\KaZooM.exe
O4 - HKLM\..\Run: [KAZAA] "C:\Program Files\Kazaa Lite\kpp.exe" "C:\Program Files\Kazaa Lite\kazaa.kpp" /SYSTRAY
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [HueyToolbar] C:\Program Files\Huey\HueyController.exe
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Expertcity\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\system32\UMonit2K.exe
O4 - HKLM\..\Run: [FineReader7NewsReaderPro] C:\Program Files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe
O4 - HKLM\..\Run: [FastTVSync] "C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe"
O4 - HKLM\..\Run: [ElbyCheckElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [eDonkey2000] "C:\Program Files\eDonkey2000\edonkey2000.exe" -t
O4 - HKLM\..\Run: [dupelogmoveblah] C:\Documents and Settings\All Users\Application Data\2 inter dupe log\clock axis.exe
O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
O4 - HKLM\..\Run: [ChangeICON] C:\WINDOWS\SPMSMON.EXE
O4 - HKLM\..\Run: [dxvid] c:\windows\system32\dxvid.exe /nocomm
O4 - HKLM\..\Run: [xhxmxbv] c:\windows\system32\brzwqtp.exe
O4 - HKLM\..\Run: [PopUpInspector] C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Allow popups from this web page - C:\Program Files\GIANT Company Software inc\PopUp Inspector\allowsite.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O8 - Extra context menu item: Stop popups from this web page - C:\Program Files\GIANT Company Software inc\PopUp Inspector\denysite.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: (no name) - {0BCBCDD8-E5D9-417D-A752-C2DA929A21BF} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O9 - Extra 'Tools' menuitem: Track Page Using Copernic Agent - {0BCBCDD8-E5D9-417D-A752-C2DA929A21BF} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Hotmail - {4154081F-5411-4ce6-98A1-19DA0D11645E} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RF Toolbar &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: IE Password - {C40E0AA1-4EC1-455C-BA2B-79C336F89462} - C:\WINDOWS\system32\IEPassword.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: PopUp Inspector - {D216B74A-9A2F-4025-9690-86780AA75F6E} - C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe (HKCU)
O9 - Extra 'Tools' menuitem: PopUp Inspector - {D216B74A-9A2F-4025-9690-86780AA75F6E} - C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.c...ex/tdserver.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {11111111-1111-1111-1111-111111111147} - file://C:\Program Files\Internet Explorer\1189.exe
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolba...0006_cracks.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...bridge-c338.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....sa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...RdxIE601_de.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.ibm.com/...ad/IbmEgath.cab
O16 - DPF: {81F0C919-AB0B-4F5C-932D-5CEEF05879E9} (IITLoadCtrl Class) - https://locator.01co...p/iitloader.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelg...in/cortvrml.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtec...tall/isetup.cab
O16 - DPF: {94118C19-B178-4E43-BBE8-0EFDBB391BDB} - http://www.sponsorad...sWebTelecom.cab
O16 - DPF: {9D614E8E-03AA-11D3-90FC-0040C7157029} (PDMSInstallerCtl Class) - http://www.pakdata.c...MSInstaller.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-downlo....cab?refid=4746
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CAAE28D1-ADCC-11D1-BD4D-004845401881} (Urdu98 Control) - http://www.pakdata.c.../urduplugin.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....sa/SymAData.cab
O16 - DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} (G.a3) - http://www.fastfind....03C02/setup.exe
O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://www.pcpowersc...pcpowerscan.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundlewar...veX/DS3/DS3.cab
O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) - http://runonce.msn.c...tacceptlang.cab
O16 - DPF: {EF58E341-49C3-4156-A3C4-5FFCA7C1EAB7} (EURAS_Portal.Gateway) - http://www.euras.com...ivex2/euras.CAB
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.over...ildAppNonUS.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EF29FF8C-B1EA-4A05-B79B-91C0465D8EE9}: NameServer = 209.47.15.118,64.157.143.38,192.168.121.252,192.168.121.253
O23 - Service: BullGuard Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\BullGuard\BullGuard Scan Server\bdss.exe" /service (file missing)
O23 - Service: TridiaVNC Pro Connector To IAS (ConnectToIASConnector) - Unknown owner - C:\Program Files\TVNCPro\bin\connector.exe" -runService -connectInetAccess -silent 0 (file missing)
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\PROGRAM FILES\TELEDAT\de_serv.exe
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\SYSTEM32\GEARSEC.EXE
O23 - Service: Huey Server (HueyServer) - Unknown owner - C:\Program Files\Huey\HueyServ.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: RemotelyAnywhere Maintenance Service (RAMaint) - 3am Labs Ltd. - C:\Program Files\RemotelyAnywhere\RaMaint.exe
O23 - Service: TridiaVNC Pro Connector Direct (RCConnector) - Unknown owner - C:\Program Files\TVNCPro\bin\connector.exe" -runService -silent 0 (file missing)
O23 - Service: TridiaVNC Pro Controller (RCController) - Unknown owner - C:\Program Files\TVNCPro\bin\processor.exe" -runService -silent 0 (file missing)
O23 - Service: RemotelyAnywhere - 3am Labs Ltd. - C:\Program Files\RemotelyAnywhere\RemotelyAnywhere.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\System32\r_server.exe" /service (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: SrvAdmin Security service (SrvAdmSrv) - HHD Software - C:\WINDOWS\System32\SrvAdmSrv.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe
O23 - Service: Tablet Service (TabletService) - Aiptek - C:\WINDOWS\System32\WT32EXE.EXE
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: TridiaFTP Server (TridiaFTPServer) - Tridia Corporation - C:\Program Files\TVNCPro\bin\ftpd.exe
O23 - Service: BullGuard Virus Shield (VSSERV) - Unknown owner - C:\Program Files\BullGuard\vsserv.exe" /service (file missing)
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC-unstable\WinVNC.exe" -service (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
O23 - Service: BullGuard Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\BullGuard\BullGuard Communicator\xcommsvr.exe" /service (file missing)
  • 0

#8
miekiemoes
Posted 15 May 2005 - 05:23 AM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Hi there,

Much better -- but you didn't perform again what I asked you to. I asked you to install ewido and perform a full scan in safe mode. You didn't even install ewido!
So, I'm going to ask you again in the next steps.
I strongly suggest you print out next instructions, or save them in notepad, because you'll have a lot of steps to take (in the right order) and you also have to work in safe mode, so this page wouldn't be available then.

* Please set your system to show all files; please see here if you're unsure how to do this.

* Download ewido security suite here: http://www.ewido.net/en/download/
Install and update it. Don't let it scan yet!!

* Download nailfix.zip
Unzip it, save it on your desktop. Don't use it yet!!

* Reboot into Safe Mode`:
°To get into the Safe mode as the computer is booting press and hold your "F8 Key". Use your arrow keys to move to "Safe Mode" and press your Enter key.

* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_BAND_SEARCHBAR_HTML
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Windows\System32\wsaupdater.exe,
O2 - BHO: Shareaza Web Download Hook - {0EEDB912-C5FA-486F-8334-57288578C627} - C:\Program Files\Shareaza\Plugins\RazaWebHook.dll
O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINDOWS\system32\rsyncmon.dll
O2 - BHO: TBMouseGuestures Class - {3614926A-225F-4E00-8A1E-1D3095547FC8} - C:\Program Files\ToolButton\MouseGestures.dll
O2 - BHO: (no name) - {B9BB810E-3736-4F12-A78E-227C6D963E19} - C:\WINDOWS\System32\dpucdll.dll
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\system32\bridge.dll",Load
O4 - HKLM\..\Run: [MyWebSearch Email Plugin] C:\PROGRA~1\MyWay\bar\2.bin\mwsoemon.exe
O4 - HKLM\..\Run: [mswspl] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [Msdmxm] c:\windows\system32\msdmxm.exe /nocomm
O4 - HKLM\..\Run: [KaZooM] C:\Program Files\Blue Haven Media\KaZooM\KaZooM.exe
O4 - HKLM\..\Run: [KAZAA] "C:\Program Files\Kazaa Lite\kpp.exe" "C:\Program Files\Kazaa Lite\kazaa.kpp" /SYSTRAY
O4 - HKLM\..\Run: [dupelogmoveblah] C:\Documents and Settings\All Users\Application Data\2 inter dupe log\clock axis.exe
O4 - HKLM\..\Run: [dxvid] c:\windows\system32\dxvid.exe /nocomm
O4 - HKLM\..\Run: [xhxmxbv] c:\windows\system32\brzwqtp.exe
O4 - HKLM\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O4 - HKCU\..\RunOnce: [Srv32 spool service] C:\WINDOWS\System32\spoolsrv32.exe
O9 - Extra button: Hotmail - {4154081F-5411-4ce6-98A1-19DA0D11645E} - (no file)
O9 - Extra button: IE Password - {C40E0AA1-4EC1-455C-BA2B-79C336F89462} - C:\WINDOWS\system32\IEPassword.dll
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {11111111-1111-1111-1111-111111111147} - file://C:\Program Files\Internet Explorer\1189.exe
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolba...0006_cracks.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...bridge-c338.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...RdxIE601_de.cab
O16 - DPF: {94118C19-B178-4E43-BBE8-0EFDBB391BDB} - http://www.sponsorad...sWebTelecom.cab
O16 - DPF: {9D614E8E-03AA-11D3-90FC-0040C7157029} (PDMSInstallerCtl Class) - http://www.pakdata.c...MSInstaller.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-downlo....cab?refid=4746
O16 - DPF: {CAAE28D1-ADCC-11D1-BD4D-004845401881} (Urdu98 Control) - http://www.pakdata.c.../urduplugin.cab
O16 - DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} (G.a3) - http://www.fastfind....03C02/setup.exe
O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://www.pcpowersc...pcpowerscan.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundlewar...veX/DS3/DS3.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.over...ildAppNonUS.cab
O23 - Service: SrvAdmin Security service (SrvAdmSrv) - HHD Software - C:\WINDOWS\System32\SrvAdmSrv.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe

* Click on Fix Checked when finished and exit HijackThis.

* Doubleclick nailfix.bat.
Don't worry, your icons and taskbar will disappear for a couple of seconds, that is normal.

* Using Windows Explorer, locate the following files/folders, and delete them if still present:

C:\Windows\System32\wsaupdater.exe
C:\WINDOWS\system32\bridge.dll
C:\PROGRAM FILES\MyWay <== folder
c:\windows\system32\msdmxm.exe
C:\Documents and Settings\All Users\Application Data\2 inter dupe log <== folder
c:\windows\system32\dxvid.exe
c:\windows\system32\brzwqtp.exe
C:\WINDOWS\System32\spoolsrv32.exe
C:\Program Files\Ebates_MoeMoneyMaker <== folder

* Run Ccleaner and click Run Cleaner (bottom right)

* Still in safe mode; Perform a full scan with ewido.
Let it delete everything it is finding.
When finished, you'll get the option to make a log.
Save this log, because I'll need that later.

Go to start > control panel > Display properties > Desktop > Customize Desktop... > Web tab > uncheck and delete everything you find in there

* Reboot your system back to normal mode.

Download Findit
Unzip it to your desktop. Make sure the FindIt's.bat and XFind.com are together in the same UNZIPPED folder!
Disconnect from the internet, if you use an always on internet connection unplug it.
Let your PC be idle for 15 minutes !!

Doubleclick FindIt's.bat. When the scan is done, it will produce a log. Save that log.
If you get an error while scanning similar like: "''C:\windows\system32\cmd.exe
C:\windows\system32\autoexec.nt the system file is not suitable for running ms-dos and microsoft windows applications. choose close to terminate the application.."
Use the next fix first and try again: http://www.visualtou...oads/xp_fix.exe

I want to know what it is, so can you go to next site:
http://virusscan.jotti.org/

On top you'll find: File to upload and scan.
Now browse to the next file:

C:\WINDOWS\System32\SrvAdmSrv.exe

Click submit and let it scan.
Copy and paste the results in your next reply together with a fresh HijackThis log + log from findit's and the log from ewido and I'll take another look.
So I need 4 logs in your next reply. (result from jotti-scan, hijackthislog, findit's-log and ewidolog)

Please try to perform everything I'm asking, otherwise this wont make sense. It's for your good I'm asking you all this. If you need help, and someone is willing to help you, it's better to cooperate instead of only performing the things you think is necessary.
By the way -- Why all those different remote desktop software? Please try to stick with one and uninstall all the rest. this really slows down your system a lot!!
  • 0

#9
mnadeem
Posted 16 May 2005 - 02:52 AM

mnadeem

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts
hi after in safe mode reloading with ccleen and ewido software , now the new log
Logfile of HijackThis v1.99.1
Scan saved at 10:48:11 AM, on 5/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\WINDOWS\SYSTEM32\GEARSEC.EXE
C:\Program Files\Huey\HueyServ.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\RemotelyAnywhere\RaMaint.exe
C:\Program Files\RemotelyAnywhere\RemotelyAnywhere.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\SrvAdmSrv.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\System32\WT32EXE.EXE
C:\Program Files\RemotelyAnywhere\RAGui.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\Program Files\TightVNC-unstable\WinVNC.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\Program Files\Common Files\BullGuard\BullGuard Communicator\xcommsvr.exe
C:\WINDOWS\System32\mqsvc.exe
C:\Program Files\Common Files\BullGuard\BullGuard Scan Server\bdss.exe
C:\Program Files\BullGuard\vsserv.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\Program Files\SAMSUNG\FW LiveUpdate\Liveupdate.exe
C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\WINDOWS\system32\ctfmon.exe
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\WINDOWS\system32\tblmouse.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\shicoxp.exe
C:\Program Files\SMSC\Seticon.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\RAM Idle\RAM_XP.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe
C:\program files\umsd tools\umsd.exe
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\de\msnappau.exe
C:\windows\system32\msdmxm.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\Blue Haven Media\KaZooM\KaZooM.exe
C:\Program Files\Kazaa Lite\kazaa.kpp
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\ICQ\ICQ.exe
C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
C:\Program Files\Huey\HueyController.exe
C:\WINDOWS\system32\UMonit2K.exe
C:\Program Files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe
C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe
C:\Program Files\eDonkey2000\edonkey2000.exe
C:\PROGRA~1\DATACA~1\FLashKsk.exe
C:\WINDOWS\SPMSMON.EXE
C:\windows\system32\dxvid.exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Avant Browser\avant.exe
C:\Documents and Settings\fnadeem\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_BAND_SEARCHBAR_HTML
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant =
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch =
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Local Page =
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
F2 - REG:system.ini: UserInit=C:\WINDOWS\system32\userinit.exe,C:\Windows\System32\wsaupdater.exe,
O2 - BHO: 12Ghosts Popup-Killer - {00000000-0007-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: Shareaza Web Download Hook - {0EEDB912-C5FA-486F-8334-57288578C627} - C:\Program Files\Shareaza\Plugins\RazaWebHook.dll
O2 - BHO: RsyncHlpr Class - {16B238D5-80DE-47CE-8F17-B3ECE2C2248D} - C:\WINDOWS\system32\rsyncmon.dll (file missing)
O2 - BHO: TBMouseGuestures Class - {3614926A-225F-4E00-8A1E-1D3095547FC8} - C:\Program Files\ToolButton\MouseGestures.dll
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: (no name) - {B9BB810E-3736-4F12-A78E-227C6D963E19} - C:\WINDOWS\System32\dpucdll.dll (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\de\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\ycomp5_5_7_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\de\msntb.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: 12-Popup - {00000000-0008-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Name of App] C:\Program Files\SAMSUNG\FW LiveUpdate\Liveupdate.exe
O4 - HKLM\..\Run: [RunDLL] rundll32.exe "C:\WINDOWS\system32\bridge.dll",Load
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [XeroxScannerDaemon] C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TVNCPro\bin\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\Windows Registry Repair Pro.exe -X
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TBLFUNC] tblmouse.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [shicoxp] C:\WINDOWS\shicoxp.exe
O4 - HKLM\..\Run: [SetIcon] C:\Program Files\SMSC\Seticon.exe
O4 - HKLM\..\Run: [RemotelyAnywhere GUI] "C:\Program Files\RemotelyAnywhere\ragui.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RDesktop] "C:\PROGRA~1\01COM~1\I'MINT~1\BIN\rdesktop.exe" -servicehelper
O4 - HKLM\..\Run: [RCController] "C:\Program Files\TVNCPro\bin\processor.exe" -userLogin
O4 - HKLM\..\Run: [RCConnector] "C:\Program Files\TVNCPro\bin\connector.exe" -userLogin
O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\RAM Idle\RAM_XP.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PopUpInspector.exe] "C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe"
O4 - HKLM\..\Run: [PLoader] c:\program files\umsd tools\umsd.exe sys_auto_run C:\Program Files\UMSD Tools
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [mswspl] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\de\msnappau.exe"
O4 - HKLM\..\Run: [Msdmxm] c:\windows\system32\msdmxm.exe /nocomm
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [KaZooM] C:\Program Files\Blue Haven Media\KaZooM\KaZooM.exe
O4 - HKLM\..\Run: [KAZAA] "C:\Program Files\Kazaa Lite\kpp.exe" "C:\Program Files\Kazaa Lite\kazaa.kpp" /SYSTRAY
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [HueyToolbar] C:\Program Files\Huey\HueyController.exe
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Expertcity\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\system32\UMonit2K.exe
O4 - HKLM\..\Run: [FineReader7NewsReaderPro] C:\Program Files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe
O4 - HKLM\..\Run: [FastTVSync] "C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe"
O4 - HKLM\..\Run: [ElbyCheckElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [eDonkey2000] "C:\Program Files\eDonkey2000\edonkey2000.exe" -t
O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
O4 - HKLM\..\Run: [ChangeICON] C:\WINDOWS\SPMSMON.EXE
O4 - HKLM\..\Run: [dxvid] c:\windows\system32\dxvid.exe /nocomm
O4 - HKLM\..\Run: [PopUpInspector] C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Allow popups from this web page - C:\Program Files\GIANT Company Software inc\PopUp Inspector\allowsite.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O8 - Extra context menu item: Stop popups from this web page - C:\Program Files\GIANT Company Software inc\PopUp Inspector\denysite.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: (no name) - {0BCBCDD8-E5D9-417D-A752-C2DA929A21BF} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O9 - Extra 'Tools' menuitem: Track Page Using Copernic Agent - {0BCBCDD8-E5D9-417D-A752-C2DA929A21BF} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Hotmail - {4154081F-5411-4ce6-98A1-19DA0D11645E} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RF Toolbar &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: IE Password - {C40E0AA1-4EC1-455C-BA2B-79C336F89462} - C:\WINDOWS\system32\IEPassword.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: PopUp Inspector - {D216B74A-9A2F-4025-9690-86780AA75F6E} - C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe (HKCU)
O9 - Extra 'Tools' menuitem: PopUp Inspector - {D216B74A-9A2F-4025-9690-86780AA75F6E} - C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.c...ex/tdserver.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {11111111-1111-1111-1111-111111111147} - file://C:\Program Files\Internet Explorer\1189.exe
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolba...0006_cracks.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...bridge-c338.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....sa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...RdxIE601_de.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.ibm.com/...ad/IbmEgath.cab
O16 - DPF: {81F0C919-AB0B-4F5C-932D-5CEEF05879E9} (IITLoadCtrl Class) - https://locator.01co...p/iitloader.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelg...in/cortvrml.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtec...tall/isetup.cab
O16 - DPF: {94118C19-B178-4E43-BBE8-0EFDBB391BDB} - http://www.sponsorad...sWebTelecom.cab
O16 - DPF: {9D614E8E-03AA-11D3-90FC-0040C7157029} (PDMSInstallerCtl Class) - http://www.pakdata.c...MSInstaller.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-downlo....cab?refid=4746
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CAAE28D1-ADCC-11D1-BD4D-004845401881} (Urdu98 Control) - http://www.pakdata.c.../urduplugin.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....sa/SymAData.cab
O16 - DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} (G.a3) - http://www.fastfind....03C02/setup.exe
O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://www.pcpowersc...pcpowerscan.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundlewar...veX/DS3/DS3.cab
O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) - http://runonce.msn.c...tacceptlang.cab
O16 - DPF: {EF58E341-49C3-4156-A3C4-5FFCA7C1EAB7} (EURAS_Portal.Gateway) - http://www.euras.com...ivex2/euras.CAB
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.over...ildAppNonUS.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EF29FF8C-B1EA-4A05-B79B-91C0465D8EE9}: NameServer = 209.47.15.118,64.157.143.38,192.168.121.252,192.168.121.253
O23 - Service: BullGuard Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\BullGuard\BullGuard Scan Server\bdss.exe" /service (file missing)
O23 - Service: TridiaVNC Pro Connector To IAS (ConnectToIASConnector) - Unknown owner - C:\Program Files\TVNCPro\bin\connector.exe" -runService -connectInetAccess -silent 0 (file missing)
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\PROGRAM FILES\TELEDAT\de_serv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\SYSTEM32\GEARSEC.EXE
O23 - Service: Huey Server (HueyServer) - Unknown owner - C:\Program Files\Huey\HueyServ.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: RemotelyAnywhere Maintenance Service (RAMaint) - 3am Labs Ltd. - C:\Program Files\RemotelyAnywhere\RaMaint.exe
O23 - Service: TridiaVNC Pro Connector Direct (RCConnector) - Unknown owner - C:\Program Files\TVNCPro\bin\connector.exe" -runService -silent 0 (file missing)
O23 - Service: TridiaVNC Pro Controller (RCController) - Unknown owner - C:\Program Files\TVNCPro\bin\processor.exe" -runService -silent 0 (file missing)
O23 - Service: RemotelyAnywhere - 3am Labs Ltd. - C:\Program Files\RemotelyAnywhere\RemotelyAnywhere.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\System32\r_server.exe" /service (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: SrvAdmin Security service (SrvAdmSrv) - HHD Software - C:\WINDOWS\System32\SrvAdmSrv.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe (file missing)
O23 - Service: Tablet Service (TabletService) - Aiptek - C:\WINDOWS\System32\WT32EXE.EXE
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: TridiaFTP Server (TridiaFTPServer) - Tridia Corporation - C:\Program Files\TVNCPro\bin\ftpd.exe
O23 - Service: BullGuard Virus Shield (VSSERV) - Unknown owner - C:\Program Files\BullGuard\vsserv.exe" /service (file missing)
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC-unstable\WinVNC.exe" -service (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
O23 - Service: BullGuard Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\BullGuard\BullGuard Communicator\xcommsvr.exe" /service (file missing)
  • 0

#10
mnadeem
Posted 16 May 2005 - 03:08 AM

mnadeem

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts
ok going in safe mode and using new removeing soft and will report to you
  • 0

Advertisements

#11
miekiemoes
Posted 16 May 2005 - 03:40 AM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Please! Follow my advice!!

I asked you 4 logs -- how does it come you only post 1? The hijackthislog?
You were supposed to go in safe mode earlier to fix all this and perform all the steps I asked you to.
I also see you didn't fixed things in your hijackthislog I asked you to.

Can you please please read my previous post again and give me ALL the logs I asked? Otherwise this really wont make any sense if you're only posting - performing the things you think is better and skip some steps you think is unecessary -- it is!!!
  • 0

#12
mnadeem
Posted 16 May 2005 - 10:17 AM

mnadeem

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts
first hijeklog
Logfile of HijackThis v1.99.1
Scan saved at 6:03:17 PM, on 5/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Ahead\InCD\InCDsrv.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\ewido\security suite\ewidoctrl.exe
C:\Program Files\ewido\security suite\ewidoguard.exe
C:\Program Files\Roxio\GoBack\GBPoll.exe
C:\WINDOWS\SYSTEM32\GEARSEC.EXE
C:\Program Files\Huey\HueyServ.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\nvsvc32.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\RemotelyAnywhere\RaMaint.exe
C:\Program Files\RemotelyAnywhere\RemotelyAnywhere.exe
C:\Program Files\SAMSUNG\FW LiveUpdate\Liveupdate.exe
C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
C:\WINDOWS\system32\wfxsnt40.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\Program Files\3B Software\Windows Registry Repair Pro\Windows Registry Repair Pro.exe
C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\system32\tblmouse.exe
C:\WINDOWS\System32\SrvAdmSrv.exe
C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
C:\WINDOWS\shicoxp.exe
C:\Program Files\SMSC\Seticon.exe
C:\Program Files\RemotelyAnywhere\ragui.exe
C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe
C:\Program Files\RAM Idle\RAM_XP.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\QuickTime\qttask.exe
C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe
C:\program files\umsd tools\umsd.exe
C:\WINDOWS\System32\WT32EXE.EXE
C:\Program Files\MSN Apps\Updater\01.02.3000.1001\de\msnappau.exe
C:\PROGRA~1\ICQ\ICQNet.exe
C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
C:\Program Files\Ahead\InCD\InCD.exe
C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
C:\Program Files\Huey\HueyController.exe
C:\WINDOWS\System32\WFXSVC.EXE
C:\WINDOWS\system32\UMonit2K.exe
C:\Program Files\TightVNC-unstable\WinVNC.exe
C:\Program Files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe
C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe
C:\Program Files\eDonkey2000\edonkey2000.exe
C:\PROGRA~1\DATACA~1\FLashKsk.exe
C:\Program Files\RealVNC\VNC4\WinVNC4.exe
C:\WINDOWS\SPMSMON.EXE
C:\Program Files\Common Files\BullGuard\BullGuard Communicator\xcommsvr.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\mqsvc.exe
C:\Program Files\Common Files\BullGuard\BullGuard Scan Server\bdss.exe
C:\Program Files\BullGuard\vsserv.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\system32\notepad.exe
C:\WINDOWS\system32\cmd.exe
C:\WINDOWS\system32\ntvdm.exe
C:\WINDOWS\SYSTEM32\notepad.exe
C:\Documents and Settings\fnadeem\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_BAND_SEARCHBAR_HTML
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O2 - BHO: 12Ghosts Popup-Killer - {00000000-0007-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: (no name) - {B9BB810E-3736-4F12-A78E-227C6D963E19} - C:\WINDOWS\System32\dpucdll.dll (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\de\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\ycomp5_5_7_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\de\msntb.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: 12-Popup - {00000000-0008-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Name of App] C:\Program Files\SAMSUNG\FW LiveUpdate\Liveupdate.exe
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [XeroxScannerDaemon] C:\Program Files\Xerox\NWWia\XrxFTPLt.exe
O4 - HKLM\..\Run: [WinVNC] "C:\Program Files\TVNCPro\bin\WinVNC.exe" -servicehelper
O4 - HKLM\..\Run: [WinFaxAppPortStarter] wfxsnt40.exe
O4 - HKLM\..\Run: [Windows Registry Repair Pro] C:\Program Files\3B Software\Windows Registry Repair Pro\Windows Registry Repair Pro.exe -X
O4 - HKLM\..\Run: [WheelMouse] C:\PROGRA~1\A4Tech\Mouse\Amoumain.exe
O4 - HKLM\..\Run: [VirtualCloneDrive] "C:\Program Files\Elaborate Bytes\VirtualCloneDrive\VCDDaemon.exe" /s
O4 - HKLM\..\Run: [TkBellExe] "C:\Program Files\Common Files\Real\Update_OB\realsched.exe" -osboot
O4 - HKLM\..\Run: [TBLFUNC] tblmouse.exe
O4 - HKLM\..\Run: [Symantec NetDriver Monitor] C:\PROGRA~1\SYMNET~1\SNDMon.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] C:\Program Files\Java\j2re1.4.2_05\bin\jusched.exe
O4 - HKLM\..\Run: [SmcService] C:\PROGRA~1\Sygate\SPF\smc.exe -startgui
O4 - HKLM\..\Run: [shicoxp] C:\WINDOWS\shicoxp.exe
O4 - HKLM\..\Run: [SetIcon] C:\Program Files\SMSC\Seticon.exe
O4 - HKLM\..\Run: [RemotelyAnywhere GUI] "C:\Program Files\RemotelyAnywhere\ragui.exe"
O4 - HKLM\..\Run: [RemoteControl] "C:\Program Files\CyberLink DVD Solution\PowerDVD\PDVDServ.exe"
O4 - HKLM\..\Run: [RDesktop] "C:\PROGRA~1\01COM~1\I'MINT~1\BIN\rdesktop.exe" -servicehelper
O4 - HKLM\..\Run: [RCController] "C:\Program Files\TVNCPro\bin\processor.exe" -userLogin
O4 - HKLM\..\Run: [RCConnector] "C:\Program Files\TVNCPro\bin\connector.exe" -userLogin
O4 - HKLM\..\Run: [RAM Idle Professional] C:\Program Files\RAM Idle\RAM_XP.exe
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [PopUpInspector.exe] "C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe"
O4 - HKLM\..\Run: [PLoader] c:\program files\umsd tools\umsd.exe sys_auto_run C:\Program Files\UMSD Tools
O4 - HKLM\..\Run: [nwiz] nwiz.exe /install
O4 - HKLM\..\Run: [NvCplDaemon] RUNDLL32.EXE C:\WINDOWS\System32\NvCpl.dll,NvStartup
O4 - HKLM\..\Run: [NeroFilterCheck] C:\WINDOWS\system32\NeroCheck.exe
O4 - HKLM\..\Run: [msnappau] "C:\Program Files\MSN Apps\Updater\01.02.3000.1001\de\msnappau.exe"
O4 - HKLM\..\Run: [Mirabilis ICQ] C:\PROGRA~1\ICQ\ICQNet.exe
O4 - HKLM\..\Run: [LWBMOUSE] C:\Program Files\Browser Mouse\Browser Mouse\1.0\lwbwheel.exe
O4 - HKLM\..\Run: [InCD] C:\Program Files\Ahead\InCD\InCD.exe
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [IMEKRMIG6.1] C:\WINDOWS\ime\imkr6_1\IMEKRMIG.EXE
O4 - HKLM\..\Run: [iKeyWorks] C:\PROGRA~1\A4Tech\Keyboard\Ikeymain.exe
O4 - HKLM\..\Run: [HueyToolbar] C:\Program Files\Huey\HueyController.exe
O4 - HKLM\..\Run: [GoToMyPC] C:\Program Files\Expertcity\GoToMyPC\g2svc.exe -logon
O4 - HKLM\..\Run: [Gene USB Monitor] C:\WINDOWS\system32\UMonit2K.exe
O4 - HKLM\..\Run: [FineReader7NewsReaderPro] C:\Program Files\ABBYY FineReader 7.0 Professional Edition\AbbyyNewsReader.exe
O4 - HKLM\..\Run: [FastTVSync] "C:\Program Files\Common Files\InterVideo\FastTVSync\FastTVSync.exe"
O4 - HKLM\..\Run: [ElbyCheckElbyCDFL] "C:\Program Files\Elaborate Bytes\CloneCD\ElbyCheck.exe" /L ElbyCDFL
O4 - HKLM\..\Run: [eDonkey2000] "C:\Program Files\eDonkey2000\edonkey2000.exe" -t
O4 - HKLM\..\Run: [DataCaching] C:\PROGRA~1\DATACA~1\FLashKsk.exe
O4 - HKLM\..\Run: [ChangeICON] C:\WINDOWS\SPMSMON.EXE
O4 - HKLM\..\Run: [PopUpInspector] C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Allow popups from this web page - C:\Program Files\GIANT Company Software inc\PopUp Inspector\allowsite.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O8 - Extra context menu item: Stop popups from this web page - C:\Program Files\GIANT Company Software inc\PopUp Inspector\denysite.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: (no name) - {0BCBCDD8-E5D9-417D-A752-C2DA929A21BF} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O9 - Extra 'Tools' menuitem: Track Page Using Copernic Agent - {0BCBCDD8-E5D9-417D-A752-C2DA929A21BF} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Hotmail - {4154081F-5411-4ce6-98A1-19DA0D11645E} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RF Toolbar &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: IE Password - {C40E0AA1-4EC1-455C-BA2B-79C336F89462} - C:\WINDOWS\system32\IEPassword.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O9 - Extra button: PopUp Inspector - {D216B74A-9A2F-4025-9690-86780AA75F6E} - C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe (HKCU)
O9 - Extra 'Tools' menuitem: PopUp Inspector - {D216B74A-9A2F-4025-9690-86780AA75F6E} - C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.c...ex/tdserver.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {11111111-1111-1111-1111-111111111147} - file://C:\Program Files\Internet Explorer\1189.exe
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolba...0006_cracks.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...bridge-c338.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....sa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...RdxIE601_de.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.ibm.com/...ad/IbmEgath.cab
O16 - DPF: {81F0C919-AB0B-4F5C-932D-5CEEF05879E9} (IITLoadCtrl Class) - https://locator.01co...p/iitloader.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelg...in/cortvrml.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtec...tall/isetup.cab
O16 - DPF: {94118C19-B178-4E43-BBE8-0EFDBB391BDB} - http://www.sponsorad...sWebTelecom.cab
O16 - DPF: {9D614E8E-03AA-11D3-90FC-0040C7157029} (PDMSInstallerCtl Class) - http://www.pakdata.c...MSInstaller.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-downlo....cab?refid=4746
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CAAE28D1-ADCC-11D1-BD4D-004845401881} (Urdu98 Control) - http://www.pakdata.c.../urduplugin.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....sa/SymAData.cab
O16 - DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} (G.a3) - http://www.fastfind....03C02/setup.exe
O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://www.pcpowersc...pcpowerscan.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundlewar...veX/DS3/DS3.cab
O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) - http://runonce.msn.c...tacceptlang.cab
O16 - DPF: {EF58E341-49C3-4156-A3C4-5FFCA7C1EAB7} (EURAS_Portal.Gateway) - http://www.euras.com...ivex2/euras.CAB
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.over...ildAppNonUS.cab
O17 - HKLM\System\CCS\Services\Tcpip\..\{EF29FF8C-B1EA-4A05-B79B-91C0465D8EE9}: NameServer = 209.47.15.118,64.157.143.38,192.168.121.252,192.168.121.253
O23 - Service: BullGuard Scan Server (bdss) - Unknown owner - C:\Program Files\Common Files\BullGuard\BullGuard Scan Server\bdss.exe" /service (file missing)
O23 - Service: TridiaVNC Pro Connector To IAS (ConnectToIASConnector) - Unknown owner - C:\Program Files\TVNCPro\bin\connector.exe" -runService -connectInetAccess -silent 0 (file missing)
O23 - Service: AVM FRITZ!web Routing Service (de_serv) - AVM Berlin - C:\PROGRAM FILES\TELEDAT\de_serv.exe
O23 - Service: ewido security suite control - ewido networks - C:\Program Files\ewido\security suite\ewidoctrl.exe
O23 - Service: ewido security suite guard - ewido networks - C:\Program Files\ewido\security suite\ewidoguard.exe
O23 - Service: GBPoll - Roxio, Inc. - C:\Program Files\Roxio\GoBack\GBPoll.exe
O23 - Service: GEARSecurity - GEAR Software - C:\WINDOWS\SYSTEM32\GEARSEC.EXE
O23 - Service: Huey Server (HueyServer) - Unknown owner - C:\Program Files\Huey\HueyServ.exe
O23 - Service: InCD Helper (InCDsrv) - Nero AG - C:\Program Files\Ahead\InCD\InCDsrv.exe
O23 - Service: NVIDIA Display Driver Service (NVSvc) - NVIDIA Corporation - C:\WINDOWS\System32\nvsvc32.exe
O23 - Service: PACSPTISVR - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Pacsptisvr.exe
O23 - Service: Trend Micro Central Control Component (PcCtlCom) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\PcCtlCom.exe
O23 - Service: RemotelyAnywhere Maintenance Service (RAMaint) - 3am Labs Ltd. - C:\Program Files\RemotelyAnywhere\RaMaint.exe
O23 - Service: TridiaVNC Pro Connector Direct (RCConnector) - Unknown owner - C:\Program Files\TVNCPro\bin\connector.exe" -runService -silent 0 (file missing)
O23 - Service: TridiaVNC Pro Controller (RCController) - Unknown owner - C:\Program Files\TVNCPro\bin\processor.exe" -runService -silent 0 (file missing)
O23 - Service: RemotelyAnywhere - 3am Labs Ltd. - C:\Program Files\RemotelyAnywhere\RemotelyAnywhere.exe
O23 - Service: Remote Packet Capture Protocol v.0 (experimental) (rpcapd) - Unknown owner - %ProgramFiles%\WinPcap\rpcapd.exe" -d -f "%ProgramFiles%\WinPcap\rpcapd.ini (file missing)
O23 - Service: Remote Administrator Service (r_server) - Unknown owner - C:\WINDOWS\System32\r_server.exe" /service (file missing)
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe
O23 - Service: Sony SPTI Service (SPTISRV) - Sony Corporation - C:\Program Files\Common Files\Sony Shared\AVLib\Sptisrv.exe
O23 - Service: SrvAdmin Security service (SrvAdmSrv) - HHD Software - C:\WINDOWS\System32\SrvAdmSrv.exe
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe (file missing)
O23 - Service: Tablet Service (TabletService) - Aiptek - C:\WINDOWS\System32\WT32EXE.EXE
O23 - Service: Trend Micro Real-time Service (Tmntsrv) - Trend Micro Incorporated. - C:\PROGRA~1\TRENDM~1\INTERN~1\Tmntsrv.exe
O23 - Service: Trend Micro Personal Firewall (TmPfw) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\TmPfw.exe
O23 - Service: Trend Micro Proxy Service (tmproxy) - Trend Micro Inc. - C:\PROGRA~1\TRENDM~1\INTERN~1\tmproxy.exe
O23 - Service: TridiaFTP Server (TridiaFTPServer) - Tridia Corporation - C:\Program Files\TVNCPro\bin\ftpd.exe
O23 - Service: BullGuard Virus Shield (VSSERV) - Unknown owner - C:\Program Files\BullGuard\vsserv.exe" /service (file missing)
O23 - Service: WinFax PRO (wfxsvc) - Symantec Corporation - C:\WINDOWS\System32\WFXSVC.EXE
O23 - Service: VNC Server (winvnc) - Unknown owner - C:\Program Files\TightVNC-unstable\WinVNC.exe" -service (file missing)
O23 - Service: VNC Server Version 4 (WinVNC4) - Unknown owner - C:\Program Files\RealVNC\VNC4\WinVNC4.exe" -service (file missing)
O23 - Service: BullGuard Communicator (XCOMM) - Unknown owner - C:\Program Files\Common Files\BullGuard\BullGuard Communicator\xcommsvr.exe" /service (file missing)

second findfix log

Microsoft Windows XP [Version 5.1.2600]
The current date is: Mon 05/16/2005
PLEASE NOTE THAT ALL FILES FOUND BY THIS METHOD ARE NOT BAD FILES, THERE MIGHT BE LEGIT FILES LISTED AND PLEASE BE CAREFUL WHILE FIXING. IF YOU ARE UNSURE OF WHAT IT IS LEAVE THEM ALONE.
»»»»»»»»»»»»»»»»»»»»»»»» Todo Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»»»


»»»»»»»»»»»»»»»»»»»»»»»» aurora Files found »»»»»»»»»»»»»»»»»»»»»»»»»»»

* aurora C:\WINDOWS\XVUWDBD.EXE

»»»»»»»»»»»»»»»»»»»»»»»» Suspect's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
Dont delete file's in the section without guidance
If any doubt back them up first

* UPX! C:\WINDOWS\System32\AHAW.EXE
* UPX! C:\WINDOWS\System32\INIT32M.EXE
* UPX! C:\WINDOWS\System32\SETUP_~1.EXE
* UPX! C:\WINDOWS\System32\SQMFXAAA.EXE
* UPX! C:\WINDOWS\System32\TASKMG.EXE
* UPX! C:\WINDOWS\System32\THIN-9~2.EXE
* UPX! C:\WINDOWS\System\UPDINS~1.EXE
* UPX! C:\WINDOWS\ANIQUEO.EXE
* UPX! C:\WINDOWS\CELEBR~1.EXE
* UPX! C:\WINDOWS\DWBREA~1.EXE
* UPX! C:\WINDOWS\HHSSJPR.EXE
* UPX! C:\WINDOWS\MSBB.EXE
* UPX! C:\WINDOWS\NAIL.EXE
* UPX! C:\WINDOWS\VMOBYK~1.EXE
* UPX! C:\WINDOWS\XNNJFX.EXE

»»»»» lagitamate file's can/will show in this section.

* UPX! C:\WINDOWS\System32\AVISYNTH.DLL
* UPX! C:\WINDOWS\System32\DEVIL.DLL
* UPX! C:\WINDOWS\System32\IEPASS~1.DLL
* UPX! C:\WINDOWS\System32\MACDEC.DLL
* UPX! C:\WINDOWS\System32\SRPCSR~1.DLL
* UPX! C:\WINDOWS\System32\TXFDB32.DLL
»»»»»»»»»»»»»»»»»»»»»»»» Buddy file's »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»
* buddy C:\WINDOWS\VMOBYK~1.EXE

»»»»»»»»»»»»»»»»»»»»»»»» SAHAgent Files found »»»»»»»»»»»»»»»»»»»»»»»»»

* SAHAgent C:\WINDOWS\System32\ABASA5~1.EXE
* SAHAgent C:\WINDOWS\System32\AP9H4QMO.EXE
* SAHAgent C:\WINDOWS\System32\BLN02NQV.EXE
* SAHAgent C:\WINDOWS\System32\GAH95ON6.EXE
* SAHAgent C:\WINDOWS\System32\HOCHKA~1.EXE
* SAHAgent C:\WINDOWS\System32\Q17I9A4J.EXE
* SAHAgent C:\WINDOWS\U6F6UF~1.EXE
* SAHAgent C:\WINDOWS\System32\70TOVMTO.INI
* SAHAgent C:\WINDOWS\System32\A95KFRHE.INI
* SAHAgent C:\WINDOWS\System32\ABASA5~1.INI
* SAHAgent C:\WINDOWS\System32\AP9H4QMO.INI
* SAHAgent C:\WINDOWS\System32\BLN02NQV.INI
* SAHAgent C:\WINDOWS\System32\GAH95ON6.INI
* SAHAgent C:\WINDOWS\System32\HOCHKA~1.INI
* SAHAgent C:\WINDOWS\System32\Q17I9A4J.INI
* SAHAgent C:\WINDOWS\System32\U6F6UF~1.INI
»»»»»»»»»»»»»»»»»»»»»»»» Misc checks »»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»»

* _rtneg3 C:\WINDOWS\System32\NSF2AA.DLL
* _rtneg3 C:\WINDOWS\System32\NSOC.DLL
* _rtneg3 C:\WINDOWS\System32\NSP21C.DLL
* _rtneg3 C:\WINDOWS\System32\NSP29B.DLL
* _rtneg3 C:\WINDOWS\System32\NSP58.DLL
* _rtneg3 C:\WINDOWS\System32\NSQ243.DLL
* _rtneg3 C:\WINDOWS\System32\NST30.DLL
* _rtneg3 C:\WINDOWS\System32\NSU23E.DLL
* _rtneg3 C:\WINDOWS\System32\NSV246.DLL
* _rtneg3 C:\WINDOWS\System32\NSY10C.DLL
* _rtneg3 C:\WINDOWS\System32\RTNEG3.DLL

»»»»» Check for Windows\SYSTEM32\cache32_rtneg* folder.

Volume in drive C is WINXPSPI
Volume Serial Number is B05F-E6B5

Directory of C:\WINDOWS\SYSTEM32

04/13/2005 06:52 PM <DIR> cache32_rtneg3
0 File(s) 0 bytes
1 Dir(s) 22,308,519,936 bytes free
»»»»» Checking for SAHAgent ico files.
Volume in drive C is WINXPSPI
Volume Serial Number is B05F-E6B5

Directory of C:\WINDOWS\system32

03/18/2005 04:59 PM 2,998 bball.ico
01/28/2005 05:43 PM 2,526 bikini31.ico
04/14/2005 12:00 AM 3,262 bingo_big2.ico
11/15/2004 12:02 AM 3,262 body2.ico
01/02/2005 04:01 PM 3,262 body3331.ico
02/22/2005 02:11 AM 2,998 bomb1.ico
12/15/2004 02:40 PM 3,262 bubbles-ke2.ico
12/14/2004 07:56 PM 3,262 bubbles-ki.ico
03/16/2005 11:14 PM 3,262 conver radio 32x32-21.ico
11/20/2004 08:28 PM 3,262 creditcard21.ico
12/17/2004 07:40 PM 3,262 creditcard321.ico
02/22/2005 02:30 PM 3,262 creditcard32123123123.ico
04/15/2005 05:42 PM 3,262 creditcard32123123123asdsa.ico
10/08/2004 12:11 AM 4,286 dating1.ico
01/12/2005 11:40 PM 4,286 datingpof1.ico
04/13/2005 11:45 PM 3,262 dice2.ico
11/16/2004 08:00 PM 1,078 disk01.ico
10/10/2004 12:38 AM 4,286 driving4dollars.ico
03/26/2005 08:33 PM 3,262 eye41.ico
12/12/2004 07:44 PM 4,286 greenmovie.ico
12/15/2004 02:40 PM 4,286 greenmovie2.ico
03/07/2005 01:46 AM 4,286 greenmovie2313.ico
03/15/2005 03:31 PM 4,286 greenmovie2313asa.ico
04/13/2005 06:51 PM 4,286 greenmovie2313asaadsasfad.ico
04/15/2005 05:42 PM 4,286 greenmovie2313asaadsasfad112341231adsfa.ico
04/13/2005 11:45 PM 3,262 hotbod123121.ico
02/22/2005 02:10 AM 2,526 ibm laptop1.ico
03/07/2005 01:47 AM 2,526 ibm laptop21.ico
03/14/2005 03:21 PM 2,526 ibm laptop3.ico
02/22/2005 02:30 PM 2,526 ibmlaptop1.ico
03/29/2005 06:44 PM 2,526 ibmlaptop12312a.ico
06/21/2001 04:54 AM 2,238 iepassword.ico
06/19/2001 02:35 PM 2,238 iepasswordgray.ico
02/24/2005 08:33 PM 3,262 imacg51.ico
12/09/2004 04:17 PM 4,286 internet popup blocker1.ico
02/23/2005 02:03 PM 3,262 kas pink123.ico
02/24/2005 08:33 PM 3,262 kas pink1231.ico
03/07/2005 01:46 AM 3,262 kas pink1233.ico
03/18/2005 04:59 PM 3,262 kas pink1233a1.ico
04/13/2005 06:51 PM 3,262 kas pink1233aadsfa1.ico
04/14/2005 12:00 AM 3,262 kas pink1233aadsfa12.ico
02/28/2005 10:39 PM 3,262 kas4b.ico
03/15/2005 11:32 PM 3,262 kas4c1.ico
02/12/2005 01:49 PM 2,526 kasant1.ico
11/03/2004 01:07 PM 4,286 kevid1.ico
12/08/2004 08:05 AM 4,286 kevid231.ico
02/19/2005 10:07 PM 4,286 kevid231231.ico
04/07/2005 10:47 AM 4,286 kevid231231aa.ico
10/07/2004 05:34 PM 4,286 kill all spyware11.ico
12/09/2004 04:17 PM 4,286 kill all spyware212345.ico
02/22/2005 02:11 AM 4,286 kill all spyware212412431.ico
03/10/2005 03:28 PM 4,286 kill all spyware2124124311.ico
10/10/2004 12:38 AM 2,526 kill all spyware31.ico
02/09/2005 02:32 PM 4,286 kill all spyware32a1.ico
03/03/2005 07:48 PM 4,286 kill all spyware33a1.ico
04/13/2005 11:45 PM 3,262 kill all spyware41.ico
03/15/2005 12:38 PM 3,262 kill all spyware451.ico
03/18/2005 12:52 AM 4,286 kill all spywareadsfadsf1.ico
12/09/2004 04:17 PM 3,262 kill evidence 3.ico
01/29/2005 05:31 AM 2,526 kill internet popups12.ico
11/12/2004 01:50 AM 4,286 kill internet popups51.ico
12/17/2004 07:40 PM 3,262 killallspyware00.ico
01/02/2005 03:59 PM 3,262 killinternetpops32.ico
02/19/2005 10:07 PM 3,262 killinternetpops32121.ico
12/25/2004 12:10 AM 3,262 killinternetpopups-33.ico
03/29/2005 06:44 PM 3,262 killinternetpopups-33123213.ico
03/03/2005 08:52 PM 3,262 kspy1.ico
01/19/2005 01:55 AM 4,286 kxp41231.ico
01/12/2005 07:11 PM 2,526 laptop41.ico
04/13/2005 11:45 PM 1,078 mac02.ico
03/26/2005 08:33 PM 4,286 moviescirc2.ico
04/13/2005 11:45 PM 4,286 moviesorangecirc1.ico
03/15/2005 03:31 PM 4,286 mp3 players4sale1.ico
03/26/2005 08:33 PM 4,286 mp3 players4salea.ico
04/15/2005 05:42 PM 4,286 mp3red51aads.ico
04/13/2005 06:51 PM 4,286 mp3red51aads1.ico
02/23/2005 02:02 PM 2,238 plasma screen1.ico
04/13/2005 11:45 PM 3,262 poker112.ico
03/15/2005 12:35 PM 4,286 pop up blaster.ico
02/22/2005 02:11 AM 4,286 pop up blaster1.ico
04/15/2005 05:42 PM 4,286 pop up blaster123213.ico
04/05/2005 08:46 AM 4,286 pop up blaster1232131.ico
01/12/2005 11:40 PM 16,614 popupblocker231.ico
01/03/2005 02:36 AM 4,286 popupkiller1231231.ico
01/23/2005 02:45 PM 4,286 popupkiller123123a.ico
04/14/2005 12:00 AM 3,262 popupkiller2asdf1.ico
04/15/2005 05:42 PM 2,238 red_kas.ico
04/05/2005 08:46 AM 2,238 red_kas1.ico
02/24/2005 08:33 PM 2,238 safe1.ico
01/29/2005 06:48 PM 19,942 securefavorites.ico
01/12/2005 07:11 PM 3,262 spamnotifyiconbox324.ico
01/22/2003 05:49 AM 2,238 SPCF.ICO
01/22/2003 05:49 AM 2,238 SPMS.ICO
01/22/2003 05:49 AM 2,238 SPSDMMC.ICO
01/22/2003 05:49 AM 2,238 SPSM.ICO
10/23/2004 09:41 AM 4,286 stop popups231.ico
02/05/2005 07:00 PM 2,526 superbowl1.ico
01/29/2005 06:48 PM 4,286 usagold312.ico
02/04/2005 11:33 AM 3,262 usaplat123123.ico
04/13/2005 11:45 PM 3,262 usaplat1231231231.ico
12/12/2004 07:44 PM 4,286 usaplatinum.ico
01/18/2005 01:26 PM 4,286 usaplatinum12.ico
01/29/2005 06:48 PM 4,286 usaplatinum12342342341.ico
03/06/2005 09:55 PM 4,286 usaplatinum2.ico
10/23/2004 09:41 AM 4,286 usaplatinum51.ico
01/08/2005 11:04 AM 4,286 usaplatinum609.ico
11/20/2004 08:28 PM 4,286 usaplatinum61.ico
12/17/2004 07:39 PM 3,262 usplat151.ico
01/23/2005 02:45 PM 3,262 usplat15112.ico
04/13/2005 11:45 PM 3,262 vh e2.ico
03/10/2005 03:28 PM 3,262 vh e23.ico
04/15/2005 05:42 PM 3,262 vh e233.ico
04/13/2005 06:51 PM 3,262 vh e2331.ico
04/14/2005 12:04 AM 19,942 virus hunter yeah1.ico
12/08/2004 12:28 AM 19,942 virushunter1.ico
10/30/2004 09:05 AM 19,942 virushunter21.ico
01/29/2005 06:48 PM 19,942 virushunter231.ico
01/02/2005 03:59 PM 19,942 virushunter31.ico
10/23/2004 09:41 AM 19,942 wmkiller2.ico
12/17/2004 07:40 PM 3,262 xmas.ico
12/17/2004 01:34 AM 3,262 xox23_icon.ico
01/11/2005 06:40 PM 3,262 yuk or yum 32.ico
01/06/2005 03:33 AM 3,262 yuk or yum 41.ico
01/18/2005 01:26 PM 3,262 yuk or yum 6a1.ico
12/09/2004 10:06 PM 3,262 yuk or yum 7.ico
02/22/2005 02:30 PM 3,262 yuk or yum 7adsfas1.ico
01/19/2005 01:55 AM 3,262 yuk or yum 8a1.ico
12/08/2004 08:04 AM 3,262 yuk or yum.ico
01/23/2005 02:45 PM 5,182 yuk or yum1a.ico
129 File(s) 574,654 bytes
0 Dir(s) 22,308,507,648 bytes free

»»»»»»»»»»»»»»»»»»»»»»»».

HKEY_CURRENT_USER\Software\aurora\AUI3d5OfSInst
HKEY_CURRENT_USER\Software\aurora\AUC3n5trMsgSDisp
HKEY_CURRENT_USER\Software\aurora\AUT3o5pListSPos
HKEY_CURRENT_USER\Software\aurora\AUs3t5icky1S
HKEY_CURRENT_USER\Software\aurora\AUs3t5icky2S
HKEY_CURRENT_USER\Software\aurora\AUs3t5icky3S
HKEY_CURRENT_USER\Software\aurora\AUs3t5icky4S
HKEY_CURRENT_USER\Software\aurora\AUC1o3d5eOfSFinalAd
HKEY_CURRENT_USER\Software\aurora\AUT3i5m7eOfSFinalAd
HKEY_CURRENT_USER\Software\aurora\AUD3s5tSSEnd
HKEY_CURRENT_USER\Software\aurora\AU3N5a7tionSCode
HKEY_CURRENT_USER\Software\aurora\AUP3D5om
HKEY_CURRENT_USER\Software\aurora\AUT3h5rshSCheckSIn
HKEY_CURRENT_USER\Software\aurora\AUT3h5rshSMots
HKEY_CURRENT_USER\Software\aurora\AUM3o5deSSync
HKEY_CURRENT_USER\Software\aurora\AUI3n5ProgSCab
HKEY_CURRENT_USER\Software\aurora\AUI3n5ProgSEx
HKEY_CURRENT_USER\Software\aurora\AUI3n5ProgSLstest
HKEY_CURRENT_USER\Software\aurora\AUC3n5tFyl
HKEY_CURRENT_USER\Software\aurora\AUB3D5om
HKEY_CURRENT_USER\Software\aurora\AUE3v5nt
HKEY_CURRENT_USER\Software\aurora\AUT3h5rshSBath
HKEY_CURRENT_USER\Software\aurora\AUT3h5rshSysSInf
HKEY_CURRENT_USER\Software\aurora\AUL3n5Title
HKEY_CURRENT_USER\Software\aurora\AUC3u5rrentSMode
HKEY_CURRENT_USER\Software\aurora\AUI3g5noreS
HKEY_CURRENT_USER\Software\Bolger\BLI9d1OfSInst
HKEY_CURRENT_USER\Software\Bolger\BLC9n1trMsgSDisp
HKEY_CURRENT_USER\Software\Bolger\BLT9o1pListSPos
HKEY_CURRENT_USER\Software\Bolger\BLs9t1icky1S
HKEY_CURRENT_USER\Software\Bolger\BLs9t1icky2S
HKEY_CURRENT_USER\Software\Bolger\BLs9t1icky3S
HKEY_CURRENT_USER\Software\Bolger\BLs9t1icky4S
HKEY_CURRENT_USER\Software\Bolger\BLC1o9d1eOfSFinalAd
HKEY_CURRENT_USER\Software\Bolger\BLT9i1m4eOfSFinalAd
HKEY_CURRENT_USER\Software\Bolger\BLD9s1tSSEnd
HKEY_CURRENT_USER\Software\Bolger\BL9N1a4tionSCode
HKEY_CURRENT_USER\Software\Bolger\BLP9D1om
HKEY_CURRENT_USER\Software\Bolger\BLT9h1rshSCheckSIn
HKEY_CURRENT_USER\Software\Bolger\BLT9h1rshSMots
HKEY_CURRENT_USER\Software\Bolger\BLM9o1deSSync
HKEY_CURRENT_USER\Software\Bolger\BLI9n1ProgSCab
HKEY_CURRENT_USER\Software\Bolger\BLI9n1ProgSEx
HKEY_CURRENT_USER\Software\Bolger\BLI9n1ProgSLstest
HKEY_CURRENT_USER\Software\Bolger\BLL9a1stMotsSDay
HKEY_CURRENT_USER\Software\Bolger\BLL9a1stSSChckin
HKEY_CURRENT_USER\Software\Bolger\BLC9n1tFyl
HKEY_CLASSES_ROOT\BolgerDll.BolgerDllObj\
HKEY_CLASSES_ROOT\BolgerDll.BolgerDllObj\CLSID\
HKEY_CLASSES_ROOT\BolgerDll.BolgerDllObj\CurVer\
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Print\Monitors\ZepMon\Driver
HKEY_LOCAL_MACHINE\SYSTEM\ControlSet002\Control\Print\Monitors\ZepMon\Driver

third online scan
Service
Service load: 0% 100%

File: SrvAdmSrv.exe
Status: OK (Note: this file has been scanned before. Therefore, this file's scan results will not be stored in the database)
MD5 276e66f352ca0462609a3309fce65d02
Packers detected: -
Scanner results
AntiVir Found nothing
Avast Found nothing
AVG Antivirus Found nothing
BitDefender Found nothing
ClamAV Found nothing
Dr.Web Found nothing
F-Prot Antivirus Found nothing
Fortinet Found nothing
Kaspersky Anti-Virus Found nothing
mks_vir Found nothing
NOD32 Found nothing
Norman Virus Control Found nothing
VBA32 Found nothing

forth log from ewiod where to find becouse has not make it
  • 0

#13
miekiemoes
Posted 16 May 2005 - 10:44 AM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP

forth log from ewiod where to find becouse has not make it


That's why I say it is important you follow all my steps.
Ok, give me a couple of minutes, still a lot of stuff to delete.
  • 0

#14
miekiemoes
Posted 16 May 2005 - 11:27 AM

miekiemoes

    Malware Expert

  • Member
  • PipPipPipPipPipPipPipPip
  • 5,503 posts
  • MVP
Print next out or save it in notepad because you still have a lot to delete.

Delete in your C:\Windows-folder next:

XVUWDBD.EXE
ANIQUEO.EXE
CELEBR~1.EXE
DWBREA~1.EXE
HHSSJPR.EXE
MSBB.EXE
NAIL.EXE
XNNJFX.EXE
VMOBYK~1.EXE

Delete in your C:\Windows\system32-folder next:

AHAW.EXE
INIT32M.EXE
SETUP_~1.EXE
SQMFXAAA.EXE
TASKMG.EXE <== don't delete taskmgr.exe!!!
THIN-9~2.EXE
UPDINS~1.EXE
ABASA5~1.EXE
AP9H4QMO.EXE
BLN02NQV.EXE
GAH95ON6.EXE
HOCHKA~1.EXE
Q17I9A4J.EXE
U6F6UF~1.EXE
70TOVMTO.INI
A95KFRHE.INI
ABASA5~1.INI
AP9H4QMO.INI
BLN02NQV.INI
GAH95ON6.INI
HOCHKA~1.INI
Q17I9A4J.INI
U6F6UF~1.INI
NSF2AA.DLL
NSOC.DLL
NSP21C.DLL
NSP29B.DLL
NSP58.DLL
NSQ243.DLL
NST30.DLL
NSU23E.DLL
NSV246.DLL
NSY10C.DLL
RTNEG3.DLL
TXFDB32.DLL

bball.ico
bikini31.ico
bingo_big2.ico
body2.ico
body3331.ico
bomb1.ico
bubbles-ke2.ico
bubbles-ki.ico
conver radio 32x32-21.ico
creditcard21.ico
creditcard321.ico
creditcard32123123123.ico
creditcard32123123123asdsa.ico
dating1.ico
datingpof1.ico
dice2.ico
disk01.ico
driving4dollars.ico
eye41.ico
greenmovie.ico
greenmovie2.ico
greenmovie2313.ico
greenmovie2313asa.ico
greenmovie2313asaadsasfad.ico
greenmovie2313asaadsasfad112341231adsfa.ico
hotbod123121.ico
ibm laptop1.ico
ibm laptop21.ico
ibm laptop3.ico
ibmlaptop1.ico
ibmlaptop12312a.ico
iepassword.ico
iepasswordgray.ico
imacg51.ico
internet popup blocker1.ico
kas pink123.ico
kas pink1231.ico
kas pink1233.ico
kas pink1233a1.ico
kas pink1233aadsfa1.ico
kas pink1233aadsfa12.ico
kas4b.ico
kas4c1.ico
kasant1.ico
kevid1.ico
kevid231.ico
kevid231231.ico
kevid231231aa.ico
kill all spyware11.ico
kill all spyware212345.ico
kill all spyware212412431.ico
kill all spyware2124124311.ico
kill all spyware31.ico
kill all spyware32a1.ico
kill all spyware33a1.ico
kill all spyware41.ico
kill all spyware451.ico
kill all spywareadsfadsf1.ico
kill evidence 3.ico
kill internet popups12.ico
kill internet popups51.ico
killallspyware00.ico
killinternetpops32.ico
killinternetpops32121.ico
killinternetpopups-33.ico
killinternetpopups-33123213.ico
kspy1.ico
kxp41231.ico
laptop41.ico
mac02.ico
moviescirc2.ico
moviesorangecirc1.ico
mp3 players4sale1.ico
mp3 players4salea.ico
mp3red51aads.ico
mp3red51aads1.ico
plasma screen1.ico
poker112.ico
pop up blaster.ico
pop up blaster1.ico
pop up blaster123213.ico
pop up blaster1232131.ico
popupblocker231.ico
popupkiller1231231.ico
popupkiller123123a.ico
popupkiller2asdf1.ico
red_kas.ico
red_kas1.ico
safe1.ico
securefavorites.ico
spamnotifyiconbox324.ico
stop popups231.ico
superbowl1.ico
usagold312.ico
usaplat123123.ico
usaplat1231231231.ico
usaplatinum.ico
usaplatinum12.ico
usaplatinum12342342341.ico
usaplatinum2.ico
usaplatinum51.ico
usaplatinum609.ico
usaplatinum61.ico
usplat151.ico
usplat15112.ico
vh e2.ico
vh e23.ico
vh e233.ico
vh e2331.ico
virus hunter yeah1.ico
virushunter1.ico
virushunter21.ico
virushunter231.ico
virushunter31.ico
wmkiller2.ico
xmas.ico
xox23_icon.ico
yuk or yum 32.ico
yuk or yum 41.ico
yuk or yum 6a1.ico
yuk or yum 7.ico
yuk or yum 7adsfas1.ico
yuk or yum 8a1.ico
yuk or yum.ico
yuk or yum1a.ico
cache32_rtneg3 <== folder

If you're having problems with deleting them, try this in safe mode.


* Start HijackThis, close all open windows leaving only HijackThis running. Place a check against each of the following:

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
O2 - BHO: (no name) - {B9BB810E-3736-4F12-A78E-227C6D963E19} - C:\WINDOWS\System32\dpucdll.dll (file missing)
O4 - HKLM\..\Run: [UserFaultCheck] %systemroot%\system32\dumprep 0 -u
O4 - HKLM\..\Run: [eDonkey2000] "C:\Program Files\eDonkey2000\edonkey2000.exe" -t
O9 - Extra button: Ebates - {6685509E-B47B-4f47-8E16-9A5F3A62F683} - file://C:\Program Files\Ebates_MoeMoneyMaker\Sy350\Tp350\scri350a.htm (file missing) (HKCU)
O16 - DPF: {11111111-1111-1111-1111-111111111147} - file://C:\Program Files\Internet Explorer\1189.exe
O16 - DPF: {12398DD6-40AA-4C40-A4EC-A42CFC0DE797} (Installer Class) - http://www.xxxtoolba...0006_cracks.cab
O16 - DPF: {15AD4789-CDB4-47E1-A9DA-992EE8E6BAD6} - http://static.windup...bridge-c338.cab
O16 - DPF: {56336BCB-3D8A-11D6-A00B-0050DA18DE71} (RdxIE Class) - http://software-dl.r...RdxIE601_de.cab
O16 - DPF: {81F0C919-AB0B-4F5C-932D-5CEEF05879E9} (IITLoadCtrl Class) - https://locator.01co...p/iitloader.cab
O16 - DPF: {94118C19-B178-4E43-BBE8-0EFDBB391BDB} - http://www.sponsorad...sWebTelecom.cab
O16 - DPF: {9D614E8E-03AA-11D3-90FC-0040C7157029} (PDMSInstallerCtl Class) - http://www.pakdata.c...MSInstaller.cab
O16 - DPF: {9EB320CE-BE1D-4304-A081-4B4665414BEF} - http://www.mt-downlo....cab?refid=4746
O16 - DPF: {CAAE28D1-ADCC-11D1-BD4D-004845401881} (Urdu98 Control) - http://www.pakdata.c.../urduplugin.cab
O16 - DPF: {D97287B6-4018-4060-948D-54D2122FC5C3} (G.a3) - http://www.fastfind....03C02/setup.exe
O16 - DPF: {DC187740-46A9-11D5-A815-00B0D0428C0C} - http://www.pcpowersc...pcpowerscan.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundlewar...veX/DS3/DS3.cab
O16 - DPF: {FF65677A-8977-48CA-916A-DFF81B037DF3} (WMService Class) - http://download.over...ildAppNonUS.cab
O23 - Service: System Startup Service (SvcProc) - Unknown owner - c:\windows\SvcProc.exe (file missing)

* Click on Fix Checked when finished and exit HijackThis.

Go to start > run and type: sc delete SvcProc click ok

You really need to cut down some remote desktop software. I see at least 4 different installed on your system? Why's that for? Is one not enough?
Also, there are really a lot unecessary programs starting up with windows, that you may safely disable via start > run > msconfig > startup
They really slow down your system a lot. If you need them, you can always start them manually.
So uncheck in msconfig > startup all the programs which you don't really think it's usefull for you to startup with windows.
As long as your antivirus (you don't have) and firewall (sygate) are checked, that's the most important thing. The choice is yours ofcourse.
You can always check them again afterwards.

When finished, post a new findit's-log together with a new hijackthislog.
  • 0

#15
mnadeem
Posted 16 May 2005 - 12:22 PM

mnadeem

    Member

  • Topic Starter
  • Member
  • PipPip
  • 98 posts
after msconfig and sc function the new log
Logfile of HijackThis v1.99.1
Scan saved at 8:20:15 PM, on 5/16/2005
Platform: Windows XP SP2 (WinNT 5.01.2600)
MSIE: Internet Explorer v6.00 SP2 (6.00.2900.2180)

Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\SYSTEM32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\Sygate\SPF\smc.exe
C:\WINDOWS\system32\spoolsv.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\system32\ctfmon.exe
C:\WINDOWS\System32\inetsrv\inetinfo.exe
C:\WINDOWS\System32\tcpsvcs.exe
C:\WINDOWS\System32\snmp.exe
C:\WINDOWS\System32\svchost.exe
C:\Program Files\SAMSUNG\FW LiveUpdate\Liveupdate.exe
C:\WINDOWS\System32\mqsvc.exe
C:\Program Files\Messenger\msmsgs.exe
C:\WINDOWS\System32\mqtgsvc.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\Explorer.EXE
C:\Program Files\Avant Browser\avant.exe
\?\C:\WINDOWS\system32\WBEM\WMIADAP.EXE
C:\Documents and Settings\fnadeem\Desktop\New Folder\HijackThis.exe

R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Bar = res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_BAND_SEARCHBAR_HTML
R1 - HKCU\Software\Microsoft\Internet Explorer\Main,Search Page = about:blank
R3 - URLSearchHook: (no name) - {BE89472C-B803-4D1D-9A9A-0A63660E0FE3} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O2 - BHO: 12Ghosts Popup-Killer - {00000000-0007-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O2 - BHO: Yahoo! Companion BHO - {02478D38-C3F9-4efb-9B51-7695ECA05670} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\ycomp5_5_7_0.dll
O2 - BHO: AcroIEHlprObj Class - {06849E9F-C8D7-4D59-B87D-784B7D6BE0B3} - C:\Program Files\Adobe\Acrobat 5.0\Reader\ActiveX\AcroIEHelper.ocx
O2 - BHO: (no name) - {53707962-6F74-2D53-2644-206D7942484F} - C:\Program Files\Spybot - Search & Destroy\SDHelper.dll
O2 - BHO: ST - {9394EDE7-C8B5-483E-8773-474BF36AF6E4} - C:\Program Files\MSN Apps\ST\01.02.3000.1002\en-xu\stmain.dll
O2 - BHO: (no name) - {B9BB810E-3736-4F12-A78E-227C6D963E19} - C:\WINDOWS\System32\dpucdll.dll (file missing)
O2 - BHO: MSNToolBandBHO - {BDBD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\de\msntb.dll
O2 - BHO: NAV Helper - {BDF3E430-B101-42AD-A544-FADC6B084872} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O3 - Toolbar: Yahoo! Companion - {EF99BD32-C1FB-11D2-892F-0090271D4F88} - C:\Program Files\Yahoo!\Companion\Installs\cpn4\ycomp5_5_7_0.dll
O3 - Toolbar: MSN - {BDAD1DAD-C946-4A17-ADC1-64B5B4FF55D0} - C:\Program Files\MSN Apps\MSN Toolbar\01.02.4000.1001\de\msntb.dll
O3 - Toolbar: ICQ Toolbar - {855F3B16-6D32-4fe6-8A56-BBB695989046} - C:\Program Files\ICQToolbar\toolbaru.dll
O3 - Toolbar: 12-Popup - {00000000-0008-5041-4354-0020e48020af} - C:\Program Files\12Ghosts\12popup.dll
O3 - Toolbar: Norton AntiVirus - {42CDD1BF-3FFB-4238-8AD1-7859DF00B1D6} - C:\Program Files\Norton SystemWorks\Norton AntiVirus\NavShExt.dll
O4 - HKLM\..\Run: [Name of App] C:\Program Files\SAMSUNG\FW LiveUpdate\Liveupdate.exe
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O8 - Extra context menu item: Add to AD Black List - C:\Program Files\Avant Browser\AddToADBlackList.htm
O8 - Extra context menu item: Allow popups from this web page - C:\Program Files\GIANT Company Software inc\PopUp Inspector\allowsite.htm
O8 - Extra context menu item: Block All Images from the Same Server - C:\Program Files\Avant Browser\AddAllToADBlackList.htm
O8 - Extra context menu item: Highlight - C:\Program Files\Avant Browser\Highlight.htm
O8 - Extra context menu item: Open All Links in This Page... - C:\Program Files\Avant Browser\OpenAllLinks.htm
O8 - Extra context menu item: Search - C:\Program Files\Avant Browser\Search.htm
O8 - Extra context menu item: Search Using Copernic Agent - res://C:\Program Files\Copernic Agent\CopernicAgentExt.dll/INTEGRATION_MENU_SEARCHEXT
O8 - Extra context menu item: Stop popups from this web page - C:\Program Files\GIANT Company Software inc\PopUp Inspector\denysite.htm
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\j2re1.4.2_05\bin\npjpi142_05.dll
O9 - Extra button: (no name) - {0BCBCDD8-E5D9-417D-A752-C2DA929A21BF} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O9 - Extra 'Tools' menuitem: Track Page Using Copernic Agent - {0BCBCDD8-E5D9-417D-A752-C2DA929A21BF} - C:\PROGRA~1\COPERN~1\COPERN~1.DLL
O9 - Extra button: (no name) - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra 'Tools' menuitem: Launch Copernic Agent - {193B17B0-7C9F-4D5B-AEAB-8D3605EFC084} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: Fill Forms - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra 'Tools' menuitem: Fill Forms &] - {320AF880-6646-11D3-ABEE-C5DBF3571F46} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComFillForms.html
O9 - Extra button: Save - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra 'Tools' menuitem: Save Forms &[ - {320AF880-6646-11D3-ABEE-C5DBF3571F49} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComSavePass.html
O9 - Extra button: Hotmail - {4154081F-5411-4ce6-98A1-19DA0D11645E} - (no file)
O9 - Extra button: Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra 'Tools' menuitem: Yahoo! Messenger - {4528BBE0-4E08-11D5-AD55-00010333D0AD} - C:\Program Files\Yahoo!\Messenger\yhexbmes0521.dll
O9 - Extra button: ICQ Pro - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra 'Tools' menuitem: ICQ - {6224f700-cba3-4071-b251-47cb894244cd} - C:\PROGRA~1\ICQ\ICQ.exe
O9 - Extra button: Copernic Agent - {688DC797-DC11-46A7-9F1B-445F4F58CE6E} - C:\PROGRA~1\COPERN~1\COPERN~1.EXE
O9 - Extra button: RoboForm - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra 'Tools' menuitem: RF Toolbar &2 - {724d43aa-0d85-11d4-9908-00400523e39a} - file://C:\Program Files\Siber Systems\AI RoboForm\RoboFormComShowToolbar.html
O9 - Extra button: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra 'Tools' menuitem: ICQ Lite - {B863453A-26C3-4e1f-A54D-A2CD196348E9} - C:\Program Files\ICQLite\ICQLite.exe
O9 - Extra button: IE Password - {C40E0AA1-4EC1-455C-BA2B-79C336F89462} - C:\WINDOWS\system32\IEPassword.dll
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra button: PopUp Inspector - {D216B74A-9A2F-4025-9690-86780AA75F6E} - C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe (HKCU)
O9 - Extra 'Tools' menuitem: PopUp Inspector - {D216B74A-9A2F-4025-9690-86780AA75F6E} - C:\Program Files\GIANT Company Software inc\PopUp Inspector\PopUpInspector.exe (HKCU)
O12 - Plugin for .spop: C:\Program Files\Internet Explorer\Plugins\NPDocBox.dll
O16 - DPF: {01FE8D0A-51AD-459B-B62B-85E135128B32} (DD_v4.DDv4) - http://www.drivershq.com/DD_v4.CAB
O16 - DPF: {0246ECA8-996F-11D1-BE2F-00A0C9037DFE} (TDServer Control) - http://www.truedoc.c...ex/tdserver.cab
O16 - DPF: {0EB0E74A-2A76-4AB3-A7FB-9BD8C29F7F75} (CKAVWebScan Object) - http://www.kaspersky.../kavwebscan.cab
O16 - DPF: {17492023-C23A-453E-A040-C7C580BBF700} (Windows Genuine Advantage Validation Tool) - http://go.microsoft....467&clcid=0x409
O16 - DPF: {1F2F4C9E-6F09-47BC-970D-3C54734667FE} (LSSupCtl Class) - http://www.symantec....sa/LSSupCtl.cab
O16 - DPF: {2BC66F54-93A8-11D3-BEB6-00105AA9B6AE} (Symantec AntiVirus scanner) - http://security.syma...bin/AvSniff.cab
O16 - DPF: {644E432F-49D3-41A1-8DD5-E099162EEEC5} (Symantec RuFSI Utility Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {74FFE28D-2378-11D5-990C-006094235084} (IBM Access Support) - https://www.ibm.com/...ad/IbmEgath.cab
O16 - DPF: {86A88967-7A20-11D2-8EDA-00600818EDB1} (ParallelGraphics Cortona Control) - http://www.parallelg...in/cortvrml.cab
O16 - DPF: {90C9629E-CD32-11D3-BBFB-00105A1F0D68} (InstallShield International Setup Player) - http://www.lizardtec...tall/isetup.cab
O16 - DPF: {94118C19-B178-4E43-BBE8-0EFDBB391BDB} - http://www.sponsorad...sWebTelecom.cab
O16 - DPF: {B38870E4-7ECB-40DA-8C6A-595F0A5519FF} (MsnMessengerSetupDownloadControl Class) - http://messenger.msn...pDownloader.cab
O16 - DPF: {B9191F79-5613-4C76-AA2A-398534BB8999} (YAddBook Class) - http://us.dl1.yimg.c...utocomplete.cab
O16 - DPF: {C2FCEF52-ACE9-11D3-BEBD-00105AA9B6AE} (Symantec RuFSI Registry Information Class) - http://security.syma...n/bin/cabsa.cab
O16 - DPF: {CE28D5D2-60CF-4C7D-9FE8-0F47A3308078} (ActiveDataInfo Class) - http://www.symantec....sa/SymAData.cab
O16 - DPF: {DDFFA75A-E81D-4454-89FC-B9FD0631E726} - http://www.bundlewar...veX/DS3/DS3.cab
O16 - DPF: {E6A3C1E2-F792-483E-9133-596215172BE9} (AcceptLang Class) - http://runonce.msn.c...tacceptlang.cab
O16 - DPF: {EF58E341-49C3-4156-A3C4-5FFCA7C1EAB7} (EURAS_Portal.Gateway) - http://www.euras.com...ivex2/euras.CAB
O17 - HKLM\System\CCS\Services\Tcpip\..\{EF29FF8C-B1EA-4A05-B79B-91C0465D8EE9}: NameServer = 209.47.15.118,64.157.143.38,192.168.121.252,192.168.121.253
O23 - Service: Sygate Personal Firewall (SmcService) - Sygate Technologies, Inc. - C:\Program Files\Sygate\SPF\smc.exe

also do have also delete every thing give no soft do automatic . it will take some time , give advise
  • 0
Back to Virus, Spyware, Malware Removal · Next Unread Topic →




Similar Topics

0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users

  1. Geeks to Go Community
  2. Security
  3. Virus, Spyware, Malware Removal

As Featured On:

Microsoft Yahoo BBC MSN PC Magazine Washington Post HP